################################################################ # abuse.ch SSLBL Snort / Suricata Botnet C2 IP Ruleset # # Aggressive # # Last updated: 2021-06-19 08:52:26 UTC # # # # Terms Of Use: https://sslbl.abuse.ch/blacklist/ # # For questions please contact sslbl [at] abuse.ch # ################################################################ # alert tcp $HOME_NET any -> [45.147.45.184] 1604 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200000; rev:1;) alert tcp $HOME_NET any -> [18.117.142.49] 2 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200001; rev:1;) alert tcp $HOME_NET any -> [212.192.241.9] 4455 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200002; rev:1;) alert tcp $HOME_NET any -> [209.126.85.216] 9632 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200003; rev:1;) alert tcp $HOME_NET any -> [95.217.123.5] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200004; rev:1;) alert tcp $HOME_NET any -> [20.199.112.16] 3535 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200005; rev:1;) alert tcp $HOME_NET any -> [216.250.249.156] 1465 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200006; rev:1;) alert tcp $HOME_NET any -> [13.57.228.91] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200007; rev:1;) alert tcp $HOME_NET any -> [91.134.183.121] 4500 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200008; rev:1;) alert tcp $HOME_NET any -> [213.152.161.244] 52090 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200009; rev:1;) alert tcp $HOME_NET any -> [103.151.123.2] 8621 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200010; rev:1;) alert tcp $HOME_NET any -> [103.140.251.225] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200011; rev:1;) alert tcp $HOME_NET any -> [199.195.253.181] 9700 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200012; rev:1;) alert tcp $HOME_NET any -> [138.68.66.197] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200013; rev:1;) alert tcp $HOME_NET any -> [173.44.50.141] 63753 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200014; rev:1;) alert tcp $HOME_NET any -> [136.144.41.246] 43360 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200015; rev:1;) alert tcp $HOME_NET any -> [185.100.84.208] 443 (msg:"SSLBL: Traffic to malicious host (likely AceRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200016; rev:1;) alert tcp $HOME_NET any -> [176.98.41.49] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200017; rev:1;) alert tcp $HOME_NET any -> [136.144.41.204] 5506 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200018; rev:1;) alert tcp $HOME_NET any -> [20.80.15.232] 2222 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200019; rev:1;) alert tcp $HOME_NET any -> [194.180.174.41] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200020; rev:1;) alert tcp $HOME_NET any -> [106.15.50.19] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200021; rev:1;) alert tcp $HOME_NET any -> [212.192.241.252] 9264 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200022; rev:1;) alert tcp $HOME_NET any -> [3.68.95.191] 1604 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200023; rev:1;) alert tcp $HOME_NET any -> [45.63.93.115] 4489 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200024; rev:1;) alert tcp $HOME_NET any -> [46.243.150.151] 38259 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200025; rev:1;) alert tcp $HOME_NET any -> [158.69.138.23] 4404 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200026; rev:1;) alert tcp $HOME_NET any -> [47.111.13.98] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200027; rev:1;) alert tcp $HOME_NET any -> [31.210.21.21] 43360 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200028; rev:1;) alert tcp $HOME_NET any -> [185.186.244.62] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200029; rev:1;) alert tcp $HOME_NET any -> [216.128.183.103] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200030; rev:1;) alert tcp $HOME_NET any -> [91.241.51.141] 2221 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200031; rev:1;) alert tcp $HOME_NET any -> [79.134.225.89] 1991 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200032; rev:1;) alert tcp $HOME_NET any -> [129.151.100.167] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200033; rev:1;) alert tcp $HOME_NET any -> [52.250.60.164] 6821 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200034; rev:1;) alert tcp $HOME_NET any -> [193.169.254.216] 6464 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200035; rev:1;) alert tcp $HOME_NET any -> [217.165.81.72] 26597 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200036; rev:1;) alert tcp $HOME_NET any -> [41.102.231.123] 300 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200037; rev:1;) alert tcp $HOME_NET any -> [157.230.255.179] 5555 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200038; rev:1;) alert tcp $HOME_NET any -> [45.138.157.202] 25565 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200039; rev:1;) alert tcp $HOME_NET any -> [136.144.41.4] 4771 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200040; rev:1;) alert tcp $HOME_NET any -> [3.18.3.168] 963 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200041; rev:1;) alert tcp $HOME_NET any -> [194.5.97.241] 8921 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200042; rev:1;) alert tcp $HOME_NET any -> [212.192.241.42] 4488 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200043; rev:1;) alert tcp $HOME_NET any -> [199.249.230.2] 61653 (msg:"SSLBL: Traffic to malicious host (likely NanoCore C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200044; rev:1;) alert tcp $HOME_NET any -> [103.89.91.38] 3390 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200045; rev:1;) alert tcp $HOME_NET any -> [91.109.182.3] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200046; rev:1;) alert tcp $HOME_NET any -> [46.243.221.18] 2703 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200047; rev:1;) alert tcp $HOME_NET any -> [185.244.26.234] 4675 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200048; rev:1;) alert tcp $HOME_NET any -> [216.230.75.62] 1107 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200049; rev:1;) alert tcp $HOME_NET any -> [46.243.221.18] 49746 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200050; rev:1;) alert tcp $HOME_NET any -> [45.32.120.24] 777 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200051; rev:1;) alert tcp $HOME_NET any -> [158.69.138.23] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200052; rev:1;) alert tcp $HOME_NET any -> [185.244.26.223] 7551 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200053; rev:1;) alert tcp $HOME_NET any -> [193.183.217.83] 5687 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200054; rev:1;) alert tcp $HOME_NET any -> [158.69.138.23] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200055; rev:1;) alert tcp $HOME_NET any -> [188.166.0.235] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200056; rev:1;) alert tcp $HOME_NET any -> [103.149.13.196] 8621 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200057; rev:1;) alert tcp $HOME_NET any -> [176.58.61.217] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200058; rev:1;) alert tcp $HOME_NET any -> [45.155.124.118] 2461 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200059; rev:1;) alert tcp $HOME_NET any -> [82.118.22.204] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200060; rev:1;) alert tcp $HOME_NET any -> [82.118.23.74] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200061; rev:1;) alert tcp $HOME_NET any -> [5.180.104.57] 4784 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200062; rev:1;) alert tcp $HOME_NET any -> [84.38.134.66] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200063; rev:1;) alert tcp $HOME_NET any -> [45.156.84.158] 1177 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200064; rev:1;) alert tcp $HOME_NET any -> [185.136.169.163] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200065; rev:1;) alert tcp $HOME_NET any -> [185.136.169.163] 3480 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200066; rev:1;) alert tcp $HOME_NET any -> [185.136.169.109] 3480 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200067; rev:1;) alert tcp $HOME_NET any -> [173.44.55.155] 52090 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200068; rev:1;) alert tcp $HOME_NET any -> [79.134.225.69] 7551 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200069; rev:1;) alert tcp $HOME_NET any -> [45.15.143.199] 5353 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200070; rev:1;) alert tcp $HOME_NET any -> [89.182.63.182] 3601 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200071; rev:1;) alert tcp $HOME_NET any -> [212.192.241.95] 45001 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200072; rev:1;) alert tcp $HOME_NET any -> [194.5.97.146] 8850 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200073; rev:1;) alert tcp $HOME_NET any -> [77.247.110.131] 8765 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200074; rev:1;) alert tcp $HOME_NET any -> [195.123.235.25] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200075; rev:1;) alert tcp $HOME_NET any -> [106.55.51.55] 5443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200076; rev:1;) alert tcp $HOME_NET any -> [5.181.80.120] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200077; rev:1;) alert tcp $HOME_NET any -> [185.206.144.26] 5505 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200078; rev:1;) alert tcp $HOME_NET any -> [45.133.1.212] 50855 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200079; rev:1;) alert tcp $HOME_NET any -> [185.29.9.47] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200080; rev:1;) alert tcp $HOME_NET any -> [194.5.98.8] 3030 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200081; rev:1;) alert tcp $HOME_NET any -> [23.105.131.195] 49645 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200082; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 45642 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200083; rev:1;) alert tcp $HOME_NET any -> [174.138.22.216] 443 (msg:"SSLBL: Traffic to malicious host (likely CloudStalker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200084; rev:1;) alert tcp $HOME_NET any -> [82.118.22.247] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200085; rev:1;) alert tcp $HOME_NET any -> [34.216.7.40] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200086; rev:1;) alert tcp $HOME_NET any -> [45.134.225.35] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200087; rev:1;) alert tcp $HOME_NET any -> [147.124.214.14] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200088; rev:1;) alert tcp $HOME_NET any -> [79.142.76.244] 43147 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200089; rev:1;) alert tcp $HOME_NET any -> [185.29.9.47] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200090; rev:1;) alert tcp $HOME_NET any -> [31.210.21.188] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200091; rev:1;) alert tcp $HOME_NET any -> [160.177.85.21] 66 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200092; rev:1;) alert tcp $HOME_NET any -> [34.195.49.202] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200093; rev:1;) alert tcp $HOME_NET any -> [104.236.60.185] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200094; rev:1;) alert tcp $HOME_NET any -> [20.98.2.6] 2222 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200095; rev:1;) alert tcp $HOME_NET any -> [89.182.137.33] 3601 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200096; rev:1;) alert tcp $HOME_NET any -> [23.105.131.173] 5436 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200097; rev:1;) alert tcp $HOME_NET any -> [207.32.218.84] 6666 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200098; rev:1;) alert tcp $HOME_NET any -> [95.142.40.220] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot malware distribution traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200099; rev:1;) alert tcp $HOME_NET any -> [95.142.40.241] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot malware distribution traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200100; rev:1;) alert tcp $HOME_NET any -> [185.250.204.130] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware distribution traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200101; rev:1;) alert tcp $HOME_NET any -> [185.250.204.130] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200102; rev:1;) alert tcp $HOME_NET any -> [194.5.98.180] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200103; rev:1;) alert tcp $HOME_NET any -> [18.162.200.0] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200104; rev:1;) alert tcp $HOME_NET any -> [147.124.219.204] 3303 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200105; rev:1;) alert tcp $HOME_NET any -> [212.192.241.187] 5520 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200106; rev:1;) alert tcp $HOME_NET any -> [89.182.123.92] 3601 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200107; rev:1;) alert tcp $HOME_NET any -> [46.21.153.207] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200108; rev:1;) alert tcp $HOME_NET any -> [89.248.173.43] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200109; rev:1;) alert tcp $HOME_NET any -> [185.22.172.34] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200110; rev:1;) alert tcp $HOME_NET any -> [207.32.217.131] 6666 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200111; rev:1;) alert tcp $HOME_NET any -> [207.32.219.26] 6666 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200112; rev:1;) alert tcp $HOME_NET any -> [156.247.13.254] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200113; rev:1;) alert tcp $HOME_NET any -> [45.113.1.17] 4435 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200114; rev:1;) alert tcp $HOME_NET any -> [164.68.122.235] 2021 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200115; rev:1;) alert tcp $HOME_NET any -> [51.81.105.225] 1177 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200116; rev:1;) alert tcp $HOME_NET any -> [45.87.0.187] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200117; rev:1;) alert tcp $HOME_NET any -> [93.115.21.128] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200118; rev:1;) alert tcp $HOME_NET any -> [104.208.31.182] 2222 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200119; rev:1;) alert tcp $HOME_NET any -> [135.148.12.151] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200120; rev:1;) alert tcp $HOME_NET any -> [203.159.80.37] 4972 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200121; rev:1;) alert tcp $HOME_NET any -> [104.223.76.176] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200122; rev:1;) alert tcp $HOME_NET any -> [213.142.159.41] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200123; rev:1;) alert tcp $HOME_NET any -> [158.69.189.97] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200124; rev:1;) alert tcp $HOME_NET any -> [203.159.80.177] 5025 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200125; rev:1;) alert tcp $HOME_NET any -> [5.181.156.140] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200126; rev:1;) alert tcp $HOME_NET any -> [45.138.157.144] 25565 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200127; rev:1;) alert tcp $HOME_NET any -> [46.183.220.49] 46422 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200128; rev:1;) alert tcp $HOME_NET any -> [46.183.220.49] 6578 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200129; rev:1;) alert tcp $HOME_NET any -> [179.13.6.240] 8057 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200130; rev:1;) alert tcp $HOME_NET any -> [89.182.88.61] 3601 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200131; rev:1;) alert tcp $HOME_NET any -> [79.134.225.75] 7739 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200132; rev:1;) alert tcp $HOME_NET any -> [81.163.246.9] 5020 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200133; rev:1;) alert tcp $HOME_NET any -> [79.134.225.75] 2050 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200134; rev:1;) alert tcp $HOME_NET any -> [147.124.219.204] 9909 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200135; rev:1;) alert tcp $HOME_NET any -> [185.157.161.205] 1973 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200136; rev:1;) alert tcp $HOME_NET any -> [185.157.161.205] 1975 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200137; rev:1;) alert tcp $HOME_NET any -> [35.197.240.92] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200138; rev:1;) alert tcp $HOME_NET any -> [185.50.248.49] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200139; rev:1;) alert tcp $HOME_NET any -> [1.15.79.166] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200140; rev:1;) alert tcp $HOME_NET any -> [31.210.21.188] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200141; rev:1;) alert tcp $HOME_NET any -> [1.15.128.150] 60001 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200142; rev:1;) alert tcp $HOME_NET any -> [139.99.178.86] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200143; rev:1;) alert tcp $HOME_NET any -> [104.43.200.50] 2222 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200144; rev:1;) alert tcp $HOME_NET any -> [31.210.21.188] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200145; rev:1;) alert tcp $HOME_NET any -> [42.194.199.231] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200146; rev:1;) alert tcp $HOME_NET any -> [62.234.134.62] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200147; rev:1;) alert tcp $HOME_NET any -> [103.234.72.237] 10920 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200148; rev:1;) alert tcp $HOME_NET any -> [79.134.225.91] 1975 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200149; rev:1;) alert tcp $HOME_NET any -> [79.134.225.91] 1973 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200150; rev:1;) alert tcp $HOME_NET any -> [13.52.231.237] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200151; rev:1;) alert tcp $HOME_NET any -> [34.220.99.248] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200152; rev:1;) alert tcp $HOME_NET any -> [54.225.218.189] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200153; rev:1;) alert tcp $HOME_NET any -> [185.50.248.47] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200154; rev:1;) alert tcp $HOME_NET any -> [194.5.97.116] 1177 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200155; rev:1;) alert tcp $HOME_NET any -> [120.78.191.11] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200156; rev:1;) alert tcp $HOME_NET any -> [103.207.36.177] 6204 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200157; rev:1;) alert tcp $HOME_NET any -> [137.74.176.167] 5553 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200158; rev:1;) alert tcp $HOME_NET any -> [31.44.185.23] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200159; rev:1;) alert tcp $HOME_NET any -> [79.134.225.92] 9030 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200160; rev:1;) alert tcp $HOME_NET any -> [47.118.62.39] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200161; rev:1;) alert tcp $HOME_NET any -> [31.44.185.24] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200162; rev:1;) alert tcp $HOME_NET any -> [88.214.24.59] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200163; rev:1;) alert tcp $HOME_NET any -> [2.207.101.83] 3601 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200164; rev:1;) alert tcp $HOME_NET any -> [45.141.84.112] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200165; rev:1;) alert tcp $HOME_NET any -> [31.44.185.19] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200166; rev:1;) alert tcp $HOME_NET any -> [88.214.24.56] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200167; rev:1;) alert tcp $HOME_NET any -> [41.250.187.176] 66 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200168; rev:1;) alert tcp $HOME_NET any -> [192.227.128.143] 9488 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200169; rev:1;) alert tcp $HOME_NET any -> [89.182.30.194] 3601 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200170; rev:1;) alert tcp $HOME_NET any -> [178.33.222.243] 50855 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200171; rev:1;) alert tcp $HOME_NET any -> [103.113.159.7] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200172; rev:1;) alert tcp $HOME_NET any -> [185.222.57.171] 3678 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200173; rev:1;) alert tcp $HOME_NET any -> [185.157.161.20] 8990 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200174; rev:1;) alert tcp $HOME_NET any -> [194.5.98.120] 1515 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200175; rev:1;) alert tcp $HOME_NET any -> [3.142.167.4] 18318 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200176; rev:1;) alert tcp $HOME_NET any -> [193.56.29.105] 1982 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200177; rev:1;) alert tcp $HOME_NET any -> [79.137.109.121] 50855 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200178; rev:1;) alert tcp $HOME_NET any -> [193.239.85.9] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200179; rev:1;) alert tcp $HOME_NET any -> [193.239.84.195] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200180; rev:1;) alert tcp $HOME_NET any -> [46.243.221.40] 2703 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200181; rev:1;) alert tcp $HOME_NET any -> [185.197.30.108] 5687 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200182; rev:1;) alert tcp $HOME_NET any -> [185.140.53.137] 5000 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200183; rev:1;) alert tcp $HOME_NET any -> [201.219.204.73] 1884 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200184; rev:1;) alert tcp $HOME_NET any -> [185.163.47.163] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200185; rev:1;) alert tcp $HOME_NET any -> [194.5.98.107] 6970 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200186; rev:1;) alert tcp $HOME_NET any -> [193.142.146.202] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200187; rev:1;) alert tcp $HOME_NET any -> [79.134.225.10] 5000 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200188; rev:1;) alert tcp $HOME_NET any -> [84.38.182.88] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200189; rev:1;) alert tcp $HOME_NET any -> [5.2.65.197] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200190; rev:1;) alert tcp $HOME_NET any -> [34.92.115.71] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200191; rev:1;) alert tcp $HOME_NET any -> [136.244.96.52] 1234 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200192; rev:1;) alert tcp $HOME_NET any -> [188.34.142.201] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200193; rev:1;) alert tcp $HOME_NET any -> [193.38.55.11] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200194; rev:1;) alert tcp $HOME_NET any -> [107.155.164.5] 4898 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200195; rev:1;) alert tcp $HOME_NET any -> [34.105.210.195] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200196; rev:1;) alert tcp $HOME_NET any -> [176.103.59.173] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200197; rev:1;) alert tcp $HOME_NET any -> [94.158.245.132] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200198; rev:1;) alert tcp $HOME_NET any -> [167.99.184.82] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200199; rev:1;) alert tcp $HOME_NET any -> [193.239.84.240] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200200; rev:1;) alert tcp $HOME_NET any -> [193.239.84.194] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200201; rev:1;) alert tcp $HOME_NET any -> [185.183.162.147] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200202; rev:1;) alert tcp $HOME_NET any -> [179.43.166.32] 10090 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200203; rev:1;) alert tcp $HOME_NET any -> [94.176.235.200] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200204; rev:1;) alert tcp $HOME_NET any -> [185.102.136.27] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200205; rev:1;) alert tcp $HOME_NET any -> [34.96.156.66] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200206; rev:1;) alert tcp $HOME_NET any -> [107.175.101.209] 7865 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200207; rev:1;) alert tcp $HOME_NET any -> [159.75.110.125] 9102 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200208; rev:1;) alert tcp $HOME_NET any -> [94.140.114.21] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200209; rev:1;) alert tcp $HOME_NET any -> [82.118.22.118] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200210; rev:1;) alert tcp $HOME_NET any -> [194.127.178.197] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200211; rev:1;) alert tcp $HOME_NET any -> [80.92.206.44] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200212; rev:1;) alert tcp $HOME_NET any -> [112.74.182.201] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200213; rev:1;) alert tcp $HOME_NET any -> [74.119.195.101] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200214; rev:1;) alert tcp $HOME_NET any -> [185.163.47.244] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200215; rev:1;) alert tcp $HOME_NET any -> [91.228.218.43] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200216; rev:1;) alert tcp $HOME_NET any -> [202.168.154.11] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200217; rev:1;) alert tcp $HOME_NET any -> [185.212.131.90] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200218; rev:1;) alert tcp $HOME_NET any -> [141.136.0.105] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200219; rev:1;) alert tcp $HOME_NET any -> [195.54.33.143] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200220; rev:1;) alert tcp $HOME_NET any -> [46.29.167.123] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200221; rev:1;) alert tcp $HOME_NET any -> [185.163.47.254] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200222; rev:1;) alert tcp $HOME_NET any -> [8.140.186.40] 8888 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200223; rev:1;) alert tcp $HOME_NET any -> [116.203.178.81] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200224; rev:1;) alert tcp $HOME_NET any -> [195.54.33.200] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200225; rev:1;) alert tcp $HOME_NET any -> [79.134.225.62] 4170 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200226; rev:1;) alert tcp $HOME_NET any -> [66.248.206.71] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200227; rev:1;) alert tcp $HOME_NET any -> [185.234.247.219] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200228; rev:1;) alert tcp $HOME_NET any -> [141.136.0.96] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200229; rev:1;) alert tcp $HOME_NET any -> [204.48.28.130] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200230; rev:1;) alert tcp $HOME_NET any -> [160.124.49.133] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200231; rev:1;) alert tcp $HOME_NET any -> [185.141.26.139] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200232; rev:1;) alert tcp $HOME_NET any -> [213.152.187.210] 42012 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200233; rev:1;) alert tcp $HOME_NET any -> [79.134.225.70] 50855 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200234; rev:1;) alert tcp $HOME_NET any -> [74.119.195.166] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200235; rev:1;) alert tcp $HOME_NET any -> [5.181.156.75] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200236; rev:1;) alert tcp $HOME_NET any -> [74.119.195.168] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200237; rev:1;) alert tcp $HOME_NET any -> [176.103.61.84] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200238; rev:1;) alert tcp $HOME_NET any -> [195.123.215.115] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200239; rev:1;) alert tcp $HOME_NET any -> [194.127.179.127] 6666 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200240; rev:1;) alert tcp $HOME_NET any -> [195.54.33.131] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200241; rev:1;) alert tcp $HOME_NET any -> [74.119.195.167] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200242; rev:1;) alert tcp $HOME_NET any -> [51.89.204.5] 6666 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200243; rev:1;) alert tcp $HOME_NET any -> [195.123.215.67] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200244; rev:1;) alert tcp $HOME_NET any -> [5.230.68.40] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200245; rev:1;) alert tcp $HOME_NET any -> [45.139.187.144] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200246; rev:1;) alert tcp $HOME_NET any -> [46.243.217.11] 2703 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200247; rev:1;) alert tcp $HOME_NET any -> [213.152.187.205] 43413 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200248; rev:1;) alert tcp $HOME_NET any -> [185.66.13.246] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200249; rev:1;) alert tcp $HOME_NET any -> [23.238.217.173] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200250; rev:1;) alert tcp $HOME_NET any -> [94.158.245.69] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200251; rev:1;) alert tcp $HOME_NET any -> [185.144.100.9] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200252; rev:1;) alert tcp $HOME_NET any -> [138.197.176.134] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200253; rev:1;) alert tcp $HOME_NET any -> [45.141.37.7] 1177 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200254; rev:1;) alert tcp $HOME_NET any -> [193.233.78.102] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200255; rev:1;) alert tcp $HOME_NET any -> [79.134.225.23] 6667 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200256; rev:1;) alert tcp $HOME_NET any -> [91.200.41.42] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200257; rev:1;) alert tcp $HOME_NET any -> [140.82.57.172] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200258; rev:1;) alert tcp $HOME_NET any -> [23.95.0.100] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200259; rev:1;) alert tcp $HOME_NET any -> [92.223.90.242] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200260; rev:1;) alert tcp $HOME_NET any -> [193.142.58.181] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200261; rev:1;) alert tcp $HOME_NET any -> [141.164.36.203] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200262; rev:1;) alert tcp $HOME_NET any -> [207.32.219.41] 1996 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200263; rev:1;) alert tcp $HOME_NET any -> [34.83.147.211] 3741 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200264; rev:1;) alert tcp $HOME_NET any -> [45.144.225.107] 43360 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200265; rev:1;) alert tcp $HOME_NET any -> [88.80.186.210] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200266; rev:1;) alert tcp $HOME_NET any -> [3.138.180.119] 11048 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200267; rev:1;) alert tcp $HOME_NET any -> [45.129.137.247] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200268; rev:1;) alert tcp $HOME_NET any -> [46.243.221.41] 2703 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200269; rev:1;) alert tcp $HOME_NET any -> [18.224.135.48] 9933 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200270; rev:1;) alert tcp $HOME_NET any -> [45.77.122.108] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200271; rev:1;) alert tcp $HOME_NET any -> [23.105.131.172] 1609 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200272; rev:1;) alert tcp $HOME_NET any -> [89.182.118.216] 3601 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200273; rev:1;) alert tcp $HOME_NET any -> [91.203.145.250] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200274; rev:1;) alert tcp $HOME_NET any -> [86.106.131.188] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200275; rev:1;) alert tcp $HOME_NET any -> [104.36.231.42] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200276; rev:1;) alert tcp $HOME_NET any -> [47.243.68.98] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200277; rev:1;) alert tcp $HOME_NET any -> [201.212.118.175] 444 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200278; rev:1;) alert tcp $HOME_NET any -> [5.34.182.123] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200279; rev:1;) alert tcp $HOME_NET any -> [195.123.219.199] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200280; rev:1;) alert tcp $HOME_NET any -> [185.82.219.58] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200281; rev:1;) alert tcp $HOME_NET any -> [193.38.55.77] 38022 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200282; rev:1;) alert tcp $HOME_NET any -> [74.50.60.96] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200283; rev:1;) alert tcp $HOME_NET any -> [47.89.46.44] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200284; rev:1;) alert tcp $HOME_NET any -> [109.232.239.145] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200285; rev:1;) alert tcp $HOME_NET any -> [51.195.134.41] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200286; rev:1;) alert tcp $HOME_NET any -> [5.181.156.79] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200287; rev:1;) alert tcp $HOME_NET any -> [185.14.28.131] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200288; rev:1;) alert tcp $HOME_NET any -> [18.191.253.86] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200289; rev:1;) alert tcp $HOME_NET any -> [185.222.57.238] 7788 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200290; rev:1;) alert tcp $HOME_NET any -> [124.70.89.118] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200291; rev:1;) alert tcp $HOME_NET any -> [18.224.135.48] 1 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200292; rev:1;) alert tcp $HOME_NET any -> [195.58.49.13] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200293; rev:1;) alert tcp $HOME_NET any -> [139.224.118.73] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200294; rev:1;) alert tcp $HOME_NET any -> [193.38.55.33] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200295; rev:1;) alert tcp $HOME_NET any -> [152.89.162.12] 1973 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200296; rev:1;) alert tcp $HOME_NET any -> [179.43.140.164] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200297; rev:1;) alert tcp $HOME_NET any -> [18.224.135.48] 2008 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200298; rev:1;) alert tcp $HOME_NET any -> [51.81.165.158] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200299; rev:1;) alert tcp $HOME_NET any -> [209.249.134.8] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200300; rev:1;) alert tcp $HOME_NET any -> [139.45.197.239] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200301; rev:1;) alert tcp $HOME_NET any -> [49.235.187.153] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200302; rev:1;) alert tcp $HOME_NET any -> [185.163.45.229] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200303; rev:1;) alert tcp $HOME_NET any -> [193.135.12.12] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200304; rev:1;) alert tcp $HOME_NET any -> [143.110.180.217] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200305; rev:1;) alert tcp $HOME_NET any -> [193.135.12.10] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200306; rev:1;) alert tcp $HOME_NET any -> [45.77.194.161] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200307; rev:1;) alert tcp $HOME_NET any -> [46.243.221.36] 2703 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200308; rev:1;) alert tcp $HOME_NET any -> [54.37.160.138] 6601 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200309; rev:1;) alert tcp $HOME_NET any -> [46.243.221.55] 2703 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200310; rev:1;) alert tcp $HOME_NET any -> [34.91.189.70] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200311; rev:1;) alert tcp $HOME_NET any -> [45.139.236.5] 1234 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200312; rev:1;) alert tcp $HOME_NET any -> [103.233.195.64] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200313; rev:1;) alert tcp $HOME_NET any -> [91.152.91.234] 4898 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200314; rev:1;) alert tcp $HOME_NET any -> [193.135.12.14] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200315; rev:1;) alert tcp $HOME_NET any -> [193.135.12.15] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200316; rev:1;) alert tcp $HOME_NET any -> [198.23.212.148] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200317; rev:1;) alert tcp $HOME_NET any -> [203.159.80.242] 6805 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200318; rev:1;) alert tcp $HOME_NET any -> [54.218.15.82] 443 (msg:"SSLBL: Traffic to malicious host (likely BazarCall C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200319; rev:1;) alert tcp $HOME_NET any -> [204.236.142.165] 443 (msg:"SSLBL: Traffic to malicious host (likely BazarCall C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200320; rev:1;) alert tcp $HOME_NET any -> [172.94.109.35] 2703 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200321; rev:1;) alert tcp $HOME_NET any -> [134.122.134.87] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200322; rev:1;) alert tcp $HOME_NET any -> [46.243.221.30] 2703 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200323; rev:1;) alert tcp $HOME_NET any -> [182.92.233.209] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200324; rev:1;) alert tcp $HOME_NET any -> [5.181.156.3] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200325; rev:1;) alert tcp $HOME_NET any -> [185.58.92.227] 5353 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200326; rev:1;) alert tcp $HOME_NET any -> [185.189.151.126] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200327; rev:1;) alert tcp $HOME_NET any -> [221.146.229.139] 1002 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200328; rev:1;) alert tcp $HOME_NET any -> [103.224.241.225] 1604 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200329; rev:1;) alert tcp $HOME_NET any -> [94.158.245.121] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200330; rev:1;) alert tcp $HOME_NET any -> [45.134.169.75] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200331; rev:1;) alert tcp $HOME_NET any -> [95.179.246.182] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200332; rev:1;) alert tcp $HOME_NET any -> [34.76.44.128] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200333; rev:1;) alert tcp $HOME_NET any -> [194.5.97.128] 11011 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200334; rev:1;) alert tcp $HOME_NET any -> [103.55.10.39] 2703 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200335; rev:1;) alert tcp $HOME_NET any -> [35.201.213.225] 8443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200336; rev:1;) alert tcp $HOME_NET any -> [112.124.28.213] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200337; rev:1;) alert tcp $HOME_NET any -> [34.91.16.249] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200338; rev:1;) alert tcp $HOME_NET any -> [213.152.162.69] 43413 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200339; rev:1;) alert tcp $HOME_NET any -> [172.111.251.53] 2703 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200340; rev:1;) alert tcp $HOME_NET any -> [172.94.50.146] 2703 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200341; rev:1;) alert tcp $HOME_NET any -> [47.95.219.96] 3344 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200342; rev:1;) alert tcp $HOME_NET any -> [45.67.231.247] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200343; rev:1;) alert tcp $HOME_NET any -> [5.181.156.250] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200344; rev:1;) alert tcp $HOME_NET any -> [188.127.231.114] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200345; rev:1;) alert tcp $HOME_NET any -> [172.94.50.143] 2703 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200346; rev:1;) alert tcp $HOME_NET any -> [34.70.170.220] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200347; rev:1;) alert tcp $HOME_NET any -> [168.119.0.86] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200348; rev:1;) alert tcp $HOME_NET any -> [77.247.127.24] 6666 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200349; rev:1;) alert tcp $HOME_NET any -> [140.238.243.50] 2021 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200350; rev:1;) alert tcp $HOME_NET any -> [191.101.130.162] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200351; rev:1;) alert tcp $HOME_NET any -> [18.224.135.48] 1612 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200352; rev:1;) alert tcp $HOME_NET any -> [41.105.23.43] 1231 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200353; rev:1;) alert tcp $HOME_NET any -> [191.101.130.162] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200354; rev:1;) alert tcp $HOME_NET any -> [34.65.142.15] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200355; rev:1;) alert tcp $HOME_NET any -> [35.246.79.214] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200356; rev:1;) alert tcp $HOME_NET any -> [185.163.45.182] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200357; rev:1;) alert tcp $HOME_NET any -> [34.90.118.146] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200358; rev:1;) alert tcp $HOME_NET any -> [92.63.99.163] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200359; rev:1;) alert tcp $HOME_NET any -> [45.145.36.210] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200360; rev:1;) alert tcp $HOME_NET any -> [172.104.225.210] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200361; rev:1;) alert tcp $HOME_NET any -> [101.200.178.253] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200362; rev:1;) alert tcp $HOME_NET any -> [35.246.130.209] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200363; rev:1;) alert tcp $HOME_NET any -> [185.219.168.29] 2990 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200364; rev:1;) alert tcp $HOME_NET any -> [41.105.114.108] 1231 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200365; rev:1;) alert tcp $HOME_NET any -> [185.163.45.249] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200366; rev:1;) alert tcp $HOME_NET any -> [79.134.225.18] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200367; rev:1;) alert tcp $HOME_NET any -> [172.93.163.101] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200368; rev:1;) alert tcp $HOME_NET any -> [172.93.163.101] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200369; rev:1;) alert tcp $HOME_NET any -> [46.243.221.26] 2703 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200370; rev:1;) alert tcp $HOME_NET any -> [152.89.247.74] 7139 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200371; rev:1;) alert tcp $HOME_NET any -> [194.5.98.206] 4449 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200372; rev:1;) alert tcp $HOME_NET any -> [23.163.0.12] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200373; rev:1;) alert tcp $HOME_NET any -> [35.204.89.50] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200374; rev:1;) alert tcp $HOME_NET any -> [106.55.62.131] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200375; rev:1;) alert tcp $HOME_NET any -> [185.219.40.40] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200376; rev:1;) alert tcp $HOME_NET any -> [185.106.123.114] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200377; rev:1;) alert tcp $HOME_NET any -> [64.225.20.68] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200378; rev:1;) alert tcp $HOME_NET any -> [152.89.247.75] 2810 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200379; rev:1;) alert tcp $HOME_NET any -> [18.223.156.62] 4656 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200380; rev:1;) alert tcp $HOME_NET any -> [158.69.149.45] 53 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200381; rev:1;) alert tcp $HOME_NET any -> [167.114.77.20] 1177 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200382; rev:1;) alert tcp $HOME_NET any -> [213.152.161.5] 42012 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200383; rev:1;) alert tcp $HOME_NET any -> [8.209.66.127] 443 (msg:"SSLBL: Traffic to malicious host (likely BazarCall malware distribution traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200384; rev:1;) alert tcp $HOME_NET any -> [8.209.66.127] 443 (msg:"SSLBL: Traffic to malicious host (likely BazarCall C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200385; rev:1;) alert tcp $HOME_NET any -> [35.232.94.42] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200386; rev:1;) alert tcp $HOME_NET any -> [185.157.161.20] 20058 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200387; rev:1;) alert tcp $HOME_NET any -> [64.225.101.13] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200388; rev:1;) alert tcp $HOME_NET any -> [95.216.105.73] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200389; rev:1;) alert tcp $HOME_NET any -> [185.140.53.133] 1404 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200390; rev:1;) alert tcp $HOME_NET any -> [34.91.233.147] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200391; rev:1;) alert tcp $HOME_NET any -> [160.20.147.107] 1508 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200392; rev:1;) alert tcp $HOME_NET any -> [3.20.238.67] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200393; rev:1;) alert tcp $HOME_NET any -> [160.20.145.218] 5072 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200394; rev:1;) alert tcp $HOME_NET any -> [103.151.125.236] 5665 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200395; rev:1;) alert tcp $HOME_NET any -> [203.159.80.241] 4898 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200396; rev:1;) alert tcp $HOME_NET any -> [3.12.163.16] 7777 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200397; rev:1;) alert tcp $HOME_NET any -> [178.238.8.204] 6666 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200398; rev:1;) alert tcp $HOME_NET any -> [51.81.126.20] 6666 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200399; rev:1;) alert tcp $HOME_NET any -> [34.91.203.83] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200400; rev:1;) alert tcp $HOME_NET any -> [213.152.161.229] 8746 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200401; rev:1;) alert tcp $HOME_NET any -> [185.239.243.112] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200402; rev:1;) alert tcp $HOME_NET any -> [41.214.187.35] 1993 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200403; rev:1;) alert tcp $HOME_NET any -> [195.62.33.224] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200404; rev:1;) alert tcp $HOME_NET any -> [152.89.247.27] 1210 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200405; rev:1;) alert tcp $HOME_NET any -> [35.241.172.252] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200406; rev:1;) alert tcp $HOME_NET any -> [185.118.164.167] 2442 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200407; rev:1;) alert tcp $HOME_NET any -> [5.2.68.70] 8070 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200408; rev:1;) alert tcp $HOME_NET any -> [193.42.26.19] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200409; rev:1;) alert tcp $HOME_NET any -> [3.128.190.178] 7777 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200410; rev:1;) alert tcp $HOME_NET any -> [34.107.19.249] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200411; rev:1;) alert tcp $HOME_NET any -> [189.232.4.114] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200412; rev:1;) alert tcp $HOME_NET any -> [45.85.90.192] 44277 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200413; rev:1;) alert tcp $HOME_NET any -> [3.128.190.178] 2403 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200414; rev:1;) alert tcp $HOME_NET any -> [94.103.80.254] 4334 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200415; rev:1;) alert tcp $HOME_NET any -> [154.209.5.14] 10443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200416; rev:1;) alert tcp $HOME_NET any -> [103.212.180.246] 5554 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200417; rev:1;) alert tcp $HOME_NET any -> [45.77.46.72] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200418; rev:1;) alert tcp $HOME_NET any -> [91.243.45.11] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200419; rev:1;) alert tcp $HOME_NET any -> [34.69.90.254] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200420; rev:1;) alert tcp $HOME_NET any -> [185.157.161.223] 1973 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200421; rev:1;) alert tcp $HOME_NET any -> [189.232.49.230] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200422; rev:1;) alert tcp $HOME_NET any -> [35.228.252.199] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200423; rev:1;) alert tcp $HOME_NET any -> [36.110.239.122] 4430 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200424; rev:1;) alert tcp $HOME_NET any -> [46.101.58.213] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200425; rev:1;) alert tcp $HOME_NET any -> [121.37.139.238] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200426; rev:1;) alert tcp $HOME_NET any -> [3.128.190.178] 1488 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200427; rev:1;) alert tcp $HOME_NET any -> [195.123.213.219] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200428; rev:1;) alert tcp $HOME_NET any -> [195.123.209.122] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200429; rev:1;) alert tcp $HOME_NET any -> [104.200.67.118] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200430; rev:1;) alert tcp $HOME_NET any -> [79.134.225.26] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200431; rev:1;) alert tcp $HOME_NET any -> [172.93.201.100] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200432; rev:1;) alert tcp $HOME_NET any -> [3.128.254.246] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200433; rev:1;) alert tcp $HOME_NET any -> [91.109.176.8] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200434; rev:1;) alert tcp $HOME_NET any -> [154.16.67.107] 1177 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200435; rev:1;) alert tcp $HOME_NET any -> [3.128.190.178] 1604 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200436; rev:1;) alert tcp $HOME_NET any -> [3.19.75.7] 7777 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200437; rev:1;) alert tcp $HOME_NET any -> [3.128.190.178] 1222 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200438; rev:1;) alert tcp $HOME_NET any -> [141.255.155.228] 1188 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200439; rev:1;) alert tcp $HOME_NET any -> [79.134.225.8] 2256 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200440; rev:1;) alert tcp $HOME_NET any -> [45.153.203.55] 44277 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200441; rev:1;) alert tcp $HOME_NET any -> [89.182.79.1] 3601 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200442; rev:1;) alert tcp $HOME_NET any -> [107.191.62.88] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200443; rev:1;) alert tcp $HOME_NET any -> [198.102.14.18] 4712 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200444; rev:1;) alert tcp $HOME_NET any -> [185.82.218.53] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200445; rev:1;) alert tcp $HOME_NET any -> [181.141.5.139] 8050 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200446; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 26187 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200447; rev:1;) alert tcp $HOME_NET any -> [23.106.160.164] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200448; rev:1;) alert tcp $HOME_NET any -> [172.104.247.192] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200449; rev:1;) alert tcp $HOME_NET any -> [103.151.123.132] 6204 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200450; rev:1;) alert tcp $HOME_NET any -> [88.214.59.150] 9911 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200451; rev:1;) alert tcp $HOME_NET any -> [79.134.225.126] 3000 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200452; rev:1;) alert tcp $HOME_NET any -> [54.84.206.216] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200453; rev:1;) alert tcp $HOME_NET any -> [158.247.220.30] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200454; rev:1;) alert tcp $HOME_NET any -> [195.2.92.62] 443 (msg:"SSLBL: Traffic to malicious host (likely FIN7 traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200455; rev:1;) alert tcp $HOME_NET any -> [18.188.163.174] 45165 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200456; rev:1;) alert tcp $HOME_NET any -> [86.107.197.52] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200457; rev:1;) alert tcp $HOME_NET any -> [104.243.41.123] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200458; rev:1;) alert tcp $HOME_NET any -> [194.26.29.191] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200459; rev:1;) alert tcp $HOME_NET any -> [79.134.225.53] 8765 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200460; rev:1;) alert tcp $HOME_NET any -> [193.218.118.85] 1781 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200461; rev:1;) alert tcp $HOME_NET any -> [213.217.0.217] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200462; rev:1;) alert tcp $HOME_NET any -> [185.130.213.157] 666 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200463; rev:1;) alert tcp $HOME_NET any -> [185.20.186.108] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200464; rev:1;) alert tcp $HOME_NET any -> [182.186.116.148] 6905 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200465; rev:1;) alert tcp $HOME_NET any -> [45.43.2.204] 1177 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200466; rev:1;) alert tcp $HOME_NET any -> [139.28.235.223] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200467; rev:1;) alert tcp $HOME_NET any -> [194.127.179.247] 4898 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200468; rev:1;) alert tcp $HOME_NET any -> [176.58.112.29] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200469; rev:1;) alert tcp $HOME_NET any -> [54.89.120.178] 1605 (msg:"SSLBL: Traffic to malicious host (likely njrat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200470; rev:1;) alert tcp $HOME_NET any -> [45.153.203.230] 4016 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200471; rev:1;) alert tcp $HOME_NET any -> [76.6.210.168] 1337 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200472; rev:1;) alert tcp $HOME_NET any -> [145.239.145.114] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200473; rev:1;) alert tcp $HOME_NET any -> [185.140.53.134] 2256 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200474; rev:1;) alert tcp $HOME_NET any -> [93.95.227.30] 5506 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200475; rev:1;) alert tcp $HOME_NET any -> [185.239.242.118] 4016 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200476; rev:1;) alert tcp $HOME_NET any -> [182.186.40.205] 6905 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200477; rev:1;) alert tcp $HOME_NET any -> [91.109.190.2] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200478; rev:1;) alert tcp $HOME_NET any -> [201.219.204.73] 1881 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200479; rev:1;) alert tcp $HOME_NET any -> [119.45.183.69] 8880 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200480; rev:1;) alert tcp $HOME_NET any -> [139.28.235.223] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200481; rev:1;) alert tcp $HOME_NET any -> [179.43.166.30] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200482; rev:1;) alert tcp $HOME_NET any -> [185.140.53.137] 4723 (msg:"SSLBL: Traffic to malicious host (likely NanoCore C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200483; rev:1;) alert tcp $HOME_NET any -> [85.143.217.252] 8084 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200484; rev:1;) alert tcp $HOME_NET any -> [142.202.188.249] 2025 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200485; rev:1;) alert tcp $HOME_NET any -> [91.109.176.8] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200486; rev:1;) alert tcp $HOME_NET any -> [192.169.6.68] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200487; rev:1;) alert tcp $HOME_NET any -> [161.129.71.137] 49746 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200488; rev:1;) alert tcp $HOME_NET any -> [194.36.191.32] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200489; rev:1;) alert tcp $HOME_NET any -> [172.94.42.34] 8890 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200490; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 50232 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200491; rev:1;) alert tcp $HOME_NET any -> [45.76.177.3] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200492; rev:1;) alert tcp $HOME_NET any -> [194.5.98.231] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200493; rev:1;) alert tcp $HOME_NET any -> [77.149.2.122] 5552 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200494; rev:1;) alert tcp $HOME_NET any -> [45.141.84.215] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200495; rev:1;) alert tcp $HOME_NET any -> [139.59.162.149] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200496; rev:1;) alert tcp $HOME_NET any -> [51.81.7.200] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200497; rev:1;) alert tcp $HOME_NET any -> [37.46.150.236] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200498; rev:1;) alert tcp $HOME_NET any -> [142.202.191.119] 2020 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200499; rev:1;) alert tcp $HOME_NET any -> [13.58.93.231] 7777 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200500; rev:1;) alert tcp $HOME_NET any -> [185.150.24.55] 9879 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200501; rev:1;) alert tcp $HOME_NET any -> [3.138.139.210] 1337 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200502; rev:1;) alert tcp $HOME_NET any -> [51.81.241.89] 8331 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200503; rev:1;) alert tcp $HOME_NET any -> [5.39.217.241] 4016 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200504; rev:1;) alert tcp $HOME_NET any -> [172.93.222.169] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200505; rev:1;) alert tcp $HOME_NET any -> [45.145.185.50] 43360 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200506; rev:1;) alert tcp $HOME_NET any -> [161.129.71.135] 49746 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200507; rev:1;) alert tcp $HOME_NET any -> [185.244.30.225] 51817 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200508; rev:1;) alert tcp $HOME_NET any -> [185.140.53.224] 9845 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200509; rev:1;) alert tcp $HOME_NET any -> [95.179.211.251] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200510; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 31330 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200511; rev:1;) alert tcp $HOME_NET any -> [172.94.42.34] 4042 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200512; rev:1;) alert tcp $HOME_NET any -> [179.43.140.189] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200513; rev:1;) alert tcp $HOME_NET any -> [101.37.76.168] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200514; rev:1;) alert tcp $HOME_NET any -> [5.189.166.237] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200515; rev:1;) alert tcp $HOME_NET any -> [161.129.71.133] 49746 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200516; rev:1;) alert tcp $HOME_NET any -> [141.105.66.243] 4016 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200517; rev:1;) alert tcp $HOME_NET any -> [23.227.202.13] 1234 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200518; rev:1;) alert tcp $HOME_NET any -> [103.114.107.184] 7180 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200519; rev:1;) alert tcp $HOME_NET any -> [79.134.225.69] 1973 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200520; rev:1;) alert tcp $HOME_NET any -> [185.157.162.107] 6606 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200521; rev:1;) alert tcp $HOME_NET any -> [185.140.53.131] 2190 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200522; rev:1;) alert tcp $HOME_NET any -> [88.214.59.150] 1177 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200523; rev:1;) alert tcp $HOME_NET any -> [149.56.80.31] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200524; rev:1;) alert tcp $HOME_NET any -> [119.29.18.190] 8090 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200525; rev:1;) alert tcp $HOME_NET any -> [179.43.140.133] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200526; rev:1;) alert tcp $HOME_NET any -> [194.5.98.136] 1177 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200527; rev:1;) alert tcp $HOME_NET any -> [193.23.3.13] 6666 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200528; rev:1;) alert tcp $HOME_NET any -> [185.140.53.131] 5567 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200529; rev:1;) alert tcp $HOME_NET any -> [80.80.130.110] 644 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200530; rev:1;) alert tcp $HOME_NET any -> [154.16.248.44] 40770 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200531; rev:1;) alert tcp $HOME_NET any -> [134.122.40.38] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200532; rev:1;) alert tcp $HOME_NET any -> [79.134.225.23] 30493 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200533; rev:1;) alert tcp $HOME_NET any -> [185.157.162.107] 4783 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200534; rev:1;) alert tcp $HOME_NET any -> [195.206.105.10] 3988 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200535; rev:1;) alert tcp $HOME_NET any -> [185.200.243.169] 51817 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200536; rev:1;) alert tcp $HOME_NET any -> [91.193.75.189] 1604 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200537; rev:1;) alert tcp $HOME_NET any -> [79.134.225.18] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200538; rev:1;) alert tcp $HOME_NET any -> [20.50.121.62] 1604 (msg:"SSLBL: Traffic to malicious host (likely njrat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200539; rev:1;) alert tcp $HOME_NET any -> [23.105.131.188] 1993 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200540; rev:1;) alert tcp $HOME_NET any -> [91.109.186.3] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200541; rev:1;) alert tcp $HOME_NET any -> [176.43.110.149] 1604 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200542; rev:1;) alert tcp $HOME_NET any -> [185.140.53.135] 1010 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200543; rev:1;) alert tcp $HOME_NET any -> [80.209.241.21] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200544; rev:1;) alert tcp $HOME_NET any -> [79.134.225.45] 2233 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200545; rev:1;) alert tcp $HOME_NET any -> [18.188.97.62] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200546; rev:1;) alert tcp $HOME_NET any -> [194.5.97.173] 1993 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200547; rev:1;) alert tcp $HOME_NET any -> [115.126.25.22] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200548; rev:1;) alert tcp $HOME_NET any -> [198.23.212.149] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200549; rev:1;) alert tcp $HOME_NET any -> [13.58.162.35] 1028 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200550; rev:1;) alert tcp $HOME_NET any -> [124.156.187.132] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200551; rev:1;) alert tcp $HOME_NET any -> [136.244.98.158] 1000 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200552; rev:1;) alert tcp $HOME_NET any -> [92.185.183.6] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200553; rev:1;) alert tcp $HOME_NET any -> [84.38.180.119] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200554; rev:1;) alert tcp $HOME_NET any -> [103.153.100.248] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200555; rev:1;) alert tcp $HOME_NET any -> [91.193.75.182] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200556; rev:1;) alert tcp $HOME_NET any -> [68.235.43.126] 56927 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200557; rev:1;) alert tcp $HOME_NET any -> [194.33.45.43] 1177 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200558; rev:1;) alert tcp $HOME_NET any -> [85.86.181.192] 6666 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200559; rev:1;) alert tcp $HOME_NET any -> [107.172.100.227] 3040 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200560; rev:1;) alert tcp $HOME_NET any -> [103.147.184.53] 1991 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200561; rev:1;) alert tcp $HOME_NET any -> [13.58.162.35] 6207 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200562; rev:1;) alert tcp $HOME_NET any -> [218.253.251.89] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200563; rev:1;) alert tcp $HOME_NET any -> [68.235.43.124] 56927 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200564; rev:1;) alert tcp $HOME_NET any -> [3.87.210.81] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200565; rev:1;) alert tcp $HOME_NET any -> [46.243.150.195] 7788 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200566; rev:1;) alert tcp $HOME_NET any -> [217.69.0.99] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200567; rev:1;) alert tcp $HOME_NET any -> [41.105.120.192] 1231 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200568; rev:1;) alert tcp $HOME_NET any -> [107.172.100.223] 2020 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200569; rev:1;) alert tcp $HOME_NET any -> [91.193.75.122] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200570; rev:1;) alert tcp $HOME_NET any -> [198.23.212.148] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200571; rev:1;) alert tcp $HOME_NET any -> [188.72.124.19] 3310 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200572; rev:1;) alert tcp $HOME_NET any -> [95.179.152.155] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200573; rev:1;) alert tcp $HOME_NET any -> [92.185.183.6] 81 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200574; rev:1;) alert tcp $HOME_NET any -> [182.150.0.31] 19530 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200575; rev:1;) alert tcp $HOME_NET any -> [2.56.212.226] 443 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200576; rev:1;) alert tcp $HOME_NET any -> [194.156.98.71] 4898 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200577; rev:1;) alert tcp $HOME_NET any -> [168.119.103.207] 6666 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200578; rev:1;) alert tcp $HOME_NET any -> [185.58.92.18] 5353 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200579; rev:1;) alert tcp $HOME_NET any -> [135.181.8.164] 4654 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200580; rev:1;) alert tcp $HOME_NET any -> [196.74.226.94] 92 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200581; rev:1;) alert tcp $HOME_NET any -> [45.15.143.216] 5210 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200582; rev:1;) alert tcp $HOME_NET any -> [128.90.108.165] 3470 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200583; rev:1;) alert tcp $HOME_NET any -> [103.99.1.128] 9875 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200584; rev:1;) alert tcp $HOME_NET any -> [194.5.98.93] 4545 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200585; rev:1;) alert tcp $HOME_NET any -> [46.31.77.31] 1453 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200586; rev:1;) alert tcp $HOME_NET any -> [38.132.99.154] 1234 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200587; rev:1;) alert tcp $HOME_NET any -> [79.134.225.88] 6458 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200588; rev:1;) alert tcp $HOME_NET any -> [185.140.53.178] 7743 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200589; rev:1;) alert tcp $HOME_NET any -> [45.15.143.234] 5366 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200590; rev:1;) alert tcp $HOME_NET any -> [79.134.225.22] 7898 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200591; rev:1;) alert tcp $HOME_NET any -> [79.134.225.22] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200592; rev:1;) alert tcp $HOME_NET any -> [195.20.109.121] 586 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200593; rev:1;) alert tcp $HOME_NET any -> [92.185.183.6] 14444 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200594; rev:1;) alert tcp $HOME_NET any -> [37.46.150.155] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200595; rev:1;) alert tcp $HOME_NET any -> [23.105.131.186] 9000 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200596; rev:1;) alert tcp $HOME_NET any -> [38.68.46.205] 8950 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200597; rev:1;) alert tcp $HOME_NET any -> [13.58.162.35] 10137 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200598; rev:1;) alert tcp $HOME_NET any -> [196.89.158.176] 66 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200599; rev:1;) alert tcp $HOME_NET any -> [80.89.230.61] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200600; rev:1;) alert tcp $HOME_NET any -> [3.35.158.172] 1199 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200601; rev:1;) alert tcp $HOME_NET any -> [45.15.143.195] 5366 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200602; rev:1;) alert tcp $HOME_NET any -> [206.166.251.173] 5922 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200603; rev:1;) alert tcp $HOME_NET any -> [212.8.246.174] 3465 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200604; rev:1;) alert tcp $HOME_NET any -> [176.48.141.174] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200605; rev:1;) alert tcp $HOME_NET any -> [5.2.68.112] 2442 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200606; rev:1;) alert tcp $HOME_NET any -> [185.140.53.191] 4185 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200607; rev:1;) alert tcp $HOME_NET any -> [168.119.170.202] 6666 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200608; rev:1;) alert tcp $HOME_NET any -> [135.181.96.16] 6666 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200609; rev:1;) alert tcp $HOME_NET any -> [185.157.162.75] 443 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200610; rev:1;) alert tcp $HOME_NET any -> [13.58.162.35] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200611; rev:1;) alert tcp $HOME_NET any -> [82.246.130.70] 4440 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200612; rev:1;) alert tcp $HOME_NET any -> [87.98.245.48] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200613; rev:1;) alert tcp $HOME_NET any -> [185.58.92.18] 4500 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200614; rev:1;) alert tcp $HOME_NET any -> [120.78.194.220] 8443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200615; rev:1;) alert tcp $HOME_NET any -> [185.157.161.86] 20058 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200616; rev:1;) alert tcp $HOME_NET any -> [103.99.1.128] 3071 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200617; rev:1;) alert tcp $HOME_NET any -> [139.155.18.71] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200618; rev:1;) alert tcp $HOME_NET any -> [51.11.247.87] 2053 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200619; rev:1;) alert tcp $HOME_NET any -> [86.137.28.177] 3073 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200620; rev:1;) alert tcp $HOME_NET any -> [141.255.157.36] 10001 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200621; rev:1;) alert tcp $HOME_NET any -> [192.121.102.72] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200622; rev:1;) alert tcp $HOME_NET any -> [154.127.53.5] 4040 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200623; rev:1;) alert tcp $HOME_NET any -> [139.59.23.248] 3439 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200624; rev:1;) alert tcp $HOME_NET any -> [88.229.12.141] 1604 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200625; rev:1;) alert tcp $HOME_NET any -> [191.88.250.254] 8050 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200626; rev:1;) alert tcp $HOME_NET any -> [192.121.102.80] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200627; rev:1;) alert tcp $HOME_NET any -> [88.229.12.141] 222 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200628; rev:1;) alert tcp $HOME_NET any -> [3.22.15.135] 14345 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200629; rev:1;) alert tcp $HOME_NET any -> [45.133.216.84] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200630; rev:1;) alert tcp $HOME_NET any -> [8.210.39.131] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200631; rev:1;) alert tcp $HOME_NET any -> [174.138.10.67] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200632; rev:1;) alert tcp $HOME_NET any -> [128.90.115.166] 3470 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200633; rev:1;) alert tcp $HOME_NET any -> [41.216.186.241] 443 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200634; rev:1;) alert tcp $HOME_NET any -> [173.234.155.108] 6666 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200635; rev:1;) alert tcp $HOME_NET any -> [45.32.146.181] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200636; rev:1;) alert tcp $HOME_NET any -> [197.207.162.125] 1231 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200637; rev:1;) alert tcp $HOME_NET any -> [185.157.161.86] 9980 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200638; rev:1;) alert tcp $HOME_NET any -> [3.95.159.27] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200639; rev:1;) alert tcp $HOME_NET any -> [103.99.1.128] 6204 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200640; rev:1;) alert tcp $HOME_NET any -> [192.119.6.132] 4898 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200641; rev:1;) alert tcp $HOME_NET any -> [220.78.86.55] 1324 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200642; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 52297 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200643; rev:1;) alert tcp $HOME_NET any -> [1.54.66.90] 3189 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200644; rev:1;) alert tcp $HOME_NET any -> [85.86.181.192] 3333 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200645; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 56207 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200646; rev:1;) alert tcp $HOME_NET any -> [103.149.27.116] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200647; rev:1;) alert tcp $HOME_NET any -> [178.33.222.243] 49746 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200648; rev:1;) alert tcp $HOME_NET any -> [74.124.24.29] 2221 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200649; rev:1;) alert tcp $HOME_NET any -> [220.89.249.206] 5050 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200650; rev:1;) alert tcp $HOME_NET any -> [194.5.97.226] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200651; rev:1;) alert tcp $HOME_NET any -> [79.134.225.119] 9030 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200652; rev:1;) alert tcp $HOME_NET any -> [185.244.26.240] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200653; rev:1;) alert tcp $HOME_NET any -> [185.140.53.186] 1604 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200654; rev:1;) alert tcp $HOME_NET any -> [185.118.164.215] 4545 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200655; rev:1;) alert tcp $HOME_NET any -> [185.36.81.30] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200656; rev:1;) alert tcp $HOME_NET any -> [172.245.45.22] 9800 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200657; rev:1;) alert tcp $HOME_NET any -> [54.39.49.150] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200658; rev:1;) alert tcp $HOME_NET any -> [178.62.18.176] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200659; rev:1;) alert tcp $HOME_NET any -> [178.33.222.243] 2703 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200660; rev:1;) alert tcp $HOME_NET any -> [79.134.225.46] 7890 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200661; rev:1;) alert tcp $HOME_NET any -> [185.140.53.221] 6458 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200662; rev:1;) alert tcp $HOME_NET any -> [185.140.53.221] 7743 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200663; rev:1;) alert tcp $HOME_NET any -> [179.43.166.54] 8070 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200664; rev:1;) alert tcp $HOME_NET any -> [47.93.122.30] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200665; rev:1;) alert tcp $HOME_NET any -> [104.248.32.109] 22998 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200666; rev:1;) alert tcp $HOME_NET any -> [142.202.190.30] 2020 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200667; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 21457 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200668; rev:1;) alert tcp $HOME_NET any -> [38.74.14.151] 7832 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200669; rev:1;) alert tcp $HOME_NET any -> [142.202.190.30] 3040 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200670; rev:1;) alert tcp $HOME_NET any -> [66.63.162.20] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200671; rev:1;) alert tcp $HOME_NET any -> [35.226.208.32] 4440 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200672; rev:1;) alert tcp $HOME_NET any -> [111.229.83.227] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200673; rev:1;) alert tcp $HOME_NET any -> [45.227.255.74] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200674; rev:1;) alert tcp $HOME_NET any -> [180.214.236.99] 7788 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200675; rev:1;) alert tcp $HOME_NET any -> [79.134.225.24] 1800 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200676; rev:1;) alert tcp $HOME_NET any -> [194.5.98.17] 9040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200677; rev:1;) alert tcp $HOME_NET any -> [128.90.108.161] 3470 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200678; rev:1;) alert tcp $HOME_NET any -> [86.106.181.177] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200679; rev:1;) alert tcp $HOME_NET any -> [3.19.26.213] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200680; rev:1;) alert tcp $HOME_NET any -> [41.141.241.250] 66 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200681; rev:1;) alert tcp $HOME_NET any -> [23.105.131.129] 3071 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200682; rev:1;) alert tcp $HOME_NET any -> [37.120.208.40] 49746 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200683; rev:1;) alert tcp $HOME_NET any -> [185.225.19.253] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200684; rev:1;) alert tcp $HOME_NET any -> [185.140.53.211] 5277 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200685; rev:1;) alert tcp $HOME_NET any -> [198.44.97.180] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200686; rev:1;) alert tcp $HOME_NET any -> [45.142.215.100] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200687; rev:1;) alert tcp $HOME_NET any -> [185.82.202.123] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200688; rev:1;) alert tcp $HOME_NET any -> [54.253.227.154] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200689; rev:1;) alert tcp $HOME_NET any -> [185.14.30.217] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200690; rev:1;) alert tcp $HOME_NET any -> [185.128.25.29] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200691; rev:1;) alert tcp $HOME_NET any -> [160.20.146.178] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200692; rev:1;) alert tcp $HOME_NET any -> [39.37.22.52] 6905 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200693; rev:1;) alert tcp $HOME_NET any -> [172.86.75.177] 6922 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200694; rev:1;) alert tcp $HOME_NET any -> [185.191.32.180] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200695; rev:1;) alert tcp $HOME_NET any -> [185.144.29.169] 4898 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200696; rev:1;) alert tcp $HOME_NET any -> [81.70.2.180] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200697; rev:1;) alert tcp $HOME_NET any -> [185.193.36.73] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200698; rev:1;) alert tcp $HOME_NET any -> [178.128.220.110] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200699; rev:1;) alert tcp $HOME_NET any -> [103.74.192.54] 4443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200700; rev:1;) alert tcp $HOME_NET any -> [3.21.227.133] 3302 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200701; rev:1;) alert tcp $HOME_NET any -> [47.114.39.239] 12345 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200702; rev:1;) alert tcp $HOME_NET any -> [185.157.162.81] 1973 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200703; rev:1;) alert tcp $HOME_NET any -> [185.157.162.81] 1973 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200704; rev:1;) alert tcp $HOME_NET any -> [185.20.185.96] 9091 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200705; rev:1;) alert tcp $HOME_NET any -> [147.229.68.116] 1268 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200706; rev:1;) alert tcp $HOME_NET any -> [193.239.147.22] 43360 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200707; rev:1;) alert tcp $HOME_NET any -> [91.241.19.51] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200708; rev:1;) alert tcp $HOME_NET any -> [103.153.76.244] 7788 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200709; rev:1;) alert tcp $HOME_NET any -> [185.157.161.109] 1973 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200710; rev:1;) alert tcp $HOME_NET any -> [171.221.221.25] 2049 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200711; rev:1;) alert tcp $HOME_NET any -> [79.134.225.20] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200712; rev:1;) alert tcp $HOME_NET any -> [45.134.21.8] 72 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200713; rev:1;) alert tcp $HOME_NET any -> [2.56.213.183] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200714; rev:1;) alert tcp $HOME_NET any -> [154.44.177.186] 4433 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200715; rev:1;) alert tcp $HOME_NET any -> [185.51.246.83] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200716; rev:1;) alert tcp $HOME_NET any -> [185.19.85.155] 5080 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200717; rev:1;) alert tcp $HOME_NET any -> [45.144.30.25] 4404 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200718; rev:1;) alert tcp $HOME_NET any -> [185.105.109.19] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware.DarkSide C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200719; rev:1;) alert tcp $HOME_NET any -> [45.141.59.139] 9898 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200720; rev:1;) alert tcp $HOME_NET any -> [88.119.171.64] 72 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200721; rev:1;) alert tcp $HOME_NET any -> [41.227.47.76] 4898 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200722; rev:1;) alert tcp $HOME_NET any -> [207.148.70.82] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200723; rev:1;) alert tcp $HOME_NET any -> [175.203.53.37] 5050 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200724; rev:1;) alert tcp $HOME_NET any -> [160.20.146.178] 5075 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200725; rev:1;) alert tcp $HOME_NET any -> [34.203.235.59] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200726; rev:1;) alert tcp $HOME_NET any -> [80.82.77.164] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200727; rev:1;) alert tcp $HOME_NET any -> [117.51.149.186] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200728; rev:1;) alert tcp $HOME_NET any -> [178.79.134.144] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200729; rev:1;) alert tcp $HOME_NET any -> [194.5.97.249] 9951 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200730; rev:1;) alert tcp $HOME_NET any -> [185.250.242.202] 7000 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200731; rev:1;) alert tcp $HOME_NET any -> [185.128.25.29] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200732; rev:1;) alert tcp $HOME_NET any -> [45.144.30.41] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200733; rev:1;) alert tcp $HOME_NET any -> [23.105.131.165] 8094 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200734; rev:1;) alert tcp $HOME_NET any -> [185.58.95.125] 4500 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200735; rev:1;) alert tcp $HOME_NET any -> [45.141.59.139] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200736; rev:1;) alert tcp $HOME_NET any -> [132.232.94.126] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200737; rev:1;) alert tcp $HOME_NET any -> [79.134.225.54] 4545 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200738; rev:1;) alert tcp $HOME_NET any -> [195.123.217.7] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200739; rev:1;) alert tcp $HOME_NET any -> [154.208.76.59] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200740; rev:1;) alert tcp $HOME_NET any -> [161.35.218.255] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200741; rev:1;) alert tcp $HOME_NET any -> [79.134.225.37] 30493 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200742; rev:1;) alert tcp $HOME_NET any -> [79.134.225.50] 4449 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200743; rev:1;) alert tcp $HOME_NET any -> [5.230.22.165] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200744; rev:1;) alert tcp $HOME_NET any -> [47.95.37.84] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200745; rev:1;) alert tcp $HOME_NET any -> [34.211.110.219] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200746; rev:1;) alert tcp $HOME_NET any -> [185.128.25.29] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200747; rev:1;) alert tcp $HOME_NET any -> [47.103.212.53] 16777 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200748; rev:1;) alert tcp $HOME_NET any -> [69.51.24.27] 666 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200749; rev:1;) alert tcp $HOME_NET any -> [37.120.208.39] 49746 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200750; rev:1;) alert tcp $HOME_NET any -> [37.59.47.123] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200751; rev:1;) alert tcp $HOME_NET any -> [37.120.208.36] 49746 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200752; rev:1;) alert tcp $HOME_NET any -> [78.128.113.14] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200753; rev:1;) alert tcp $HOME_NET any -> [45.140.146.181] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200754; rev:1;) alert tcp $HOME_NET any -> [45.140.147.167] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200755; rev:1;) alert tcp $HOME_NET any -> [81.69.14.19] 45832 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200756; rev:1;) alert tcp $HOME_NET any -> [173.234.25.74] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200757; rev:1;) alert tcp $HOME_NET any -> [192.253.244.149] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200758; rev:1;) alert tcp $HOME_NET any -> [119.3.141.162] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200759; rev:1;) alert tcp $HOME_NET any -> [185.153.198.121] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200760; rev:1;) alert tcp $HOME_NET any -> [176.122.152.67] 4433 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200761; rev:1;) alert tcp $HOME_NET any -> [194.113.34.49] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200762; rev:1;) alert tcp $HOME_NET any -> [37.120.208.36] 49703 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200763; rev:1;) alert tcp $HOME_NET any -> [47.91.237.42] 8443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200764; rev:1;) alert tcp $HOME_NET any -> [79.134.225.14] 8070 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200765; rev:1;) alert tcp $HOME_NET any -> [172.245.26.140] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200766; rev:1;) alert tcp $HOME_NET any -> [203.115.24.234] 8282 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200767; rev:1;) alert tcp $HOME_NET any -> [185.244.30.253] 5050 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200768; rev:1;) alert tcp $HOME_NET any -> [62.102.148.158] 62727 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200769; rev:1;) alert tcp $HOME_NET any -> [45.32.129.110] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200770; rev:1;) alert tcp $HOME_NET any -> [185.244.26.206] 20905 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200771; rev:1;) alert tcp $HOME_NET any -> [142.202.190.27] 3040 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200772; rev:1;) alert tcp $HOME_NET any -> [79.134.225.99] 4726 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200773; rev:1;) alert tcp $HOME_NET any -> [160.20.146.178] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200774; rev:1;) alert tcp $HOME_NET any -> [185.140.53.234] 2558 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200775; rev:1;) alert tcp $HOME_NET any -> [43.242.201.222] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200776; rev:1;) alert tcp $HOME_NET any -> [79.134.225.104] 20905 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200777; rev:1;) alert tcp $HOME_NET any -> [169.61.11.75] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200778; rev:1;) alert tcp $HOME_NET any -> [91.109.188.7] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200779; rev:1;) alert tcp $HOME_NET any -> [84.38.183.222] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200780; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 57654 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200781; rev:1;) alert tcp $HOME_NET any -> [108.62.118.217] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200782; rev:1;) alert tcp $HOME_NET any -> [8.210.125.201] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200783; rev:1;) alert tcp $HOME_NET any -> [217.12.208.31] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200784; rev:1;) alert tcp $HOME_NET any -> [155.94.198.169] 1990 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200785; rev:1;) alert tcp $HOME_NET any -> [154.127.53.31] 5252 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200786; rev:1;) alert tcp $HOME_NET any -> [194.5.97.177] 10011 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200787; rev:1;) alert tcp $HOME_NET any -> [3.15.15.105] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200788; rev:1;) alert tcp $HOME_NET any -> [18.207.200.0] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200789; rev:1;) alert tcp $HOME_NET any -> [47.242.30.106] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200790; rev:1;) alert tcp $HOME_NET any -> [45.254.64.7] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200791; rev:1;) alert tcp $HOME_NET any -> [34.204.7.171] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200792; rev:1;) alert tcp $HOME_NET any -> [18.216.15.65] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200793; rev:1;) alert tcp $HOME_NET any -> [91.193.75.108] 8070 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200794; rev:1;) alert tcp $HOME_NET any -> [37.120.208.37] 49746 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200795; rev:1;) alert tcp $HOME_NET any -> [47.108.129.143] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200796; rev:1;) alert tcp $HOME_NET any -> [95.181.157.49] 1738 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200797; rev:1;) alert tcp $HOME_NET any -> [217.12.218.250] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200798; rev:1;) alert tcp $HOME_NET any -> [188.119.112.174] 8081 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200799; rev:1;) alert tcp $HOME_NET any -> [3.129.73.255] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200800; rev:1;) alert tcp $HOME_NET any -> [185.244.30.185] 9101 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200801; rev:1;) alert tcp $HOME_NET any -> [18.223.210.216] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200802; rev:1;) alert tcp $HOME_NET any -> [96.9.241.60] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200803; rev:1;) alert tcp $HOME_NET any -> [206.166.251.75] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200804; rev:1;) alert tcp $HOME_NET any -> [185.140.53.186] 2626 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200805; rev:1;) alert tcp $HOME_NET any -> [45.147.229.52] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200806; rev:1;) alert tcp $HOME_NET any -> [95.211.26.199] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200807; rev:1;) alert tcp $HOME_NET any -> [91.203.193.163] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200808; rev:1;) alert tcp $HOME_NET any -> [157.230.184.142] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200809; rev:1;) alert tcp $HOME_NET any -> [2.56.213.183] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200810; rev:1;) alert tcp $HOME_NET any -> [54.236.241.94] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200811; rev:1;) alert tcp $HOME_NET any -> [35.161.73.88] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200812; rev:1;) alert tcp $HOME_NET any -> [177.255.91.168] 8057 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200813; rev:1;) alert tcp $HOME_NET any -> [62.171.141.54] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200814; rev:1;) alert tcp $HOME_NET any -> [185.140.53.141] 2256 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200815; rev:1;) alert tcp $HOME_NET any -> [47.241.25.81] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200816; rev:1;) alert tcp $HOME_NET any -> [5.181.156.126] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200817; rev:1;) alert tcp $HOME_NET any -> [5.181.156.126] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200818; rev:1;) alert tcp $HOME_NET any -> [185.165.153.249] 4371 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200819; rev:1;) alert tcp $HOME_NET any -> [185.118.167.189] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200820; rev:1;) alert tcp $HOME_NET any -> [47.251.11.230] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200821; rev:1;) alert tcp $HOME_NET any -> [46.166.161.85] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200822; rev:1;) alert tcp $HOME_NET any -> [173.234.155.227] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200823; rev:1;) alert tcp $HOME_NET any -> [207.148.116.8] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200824; rev:1;) alert tcp $HOME_NET any -> [79.134.225.82] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200825; rev:1;) alert tcp $HOME_NET any -> [3.82.47.49] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200826; rev:1;) alert tcp $HOME_NET any -> [35.160.72.225] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200827; rev:1;) alert tcp $HOME_NET any -> [128.90.115.218] 3470 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200828; rev:1;) alert tcp $HOME_NET any -> [45.128.206.55] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200829; rev:1;) alert tcp $HOME_NET any -> [74.118.138.139] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200830; rev:1;) alert tcp $HOME_NET any -> [79.134.225.39] 6513 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200831; rev:1;) alert tcp $HOME_NET any -> [3.93.232.10] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200832; rev:1;) alert tcp $HOME_NET any -> [45.147.231.65] 3002 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200833; rev:1;) alert tcp $HOME_NET any -> [45.79.72.33] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200834; rev:1;) alert tcp $HOME_NET any -> [54.224.34.171] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200835; rev:1;) alert tcp $HOME_NET any -> [34.222.33.48] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200836; rev:1;) alert tcp $HOME_NET any -> [18.219.29.151] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200837; rev:1;) alert tcp $HOME_NET any -> [8.209.124.215] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200838; rev:1;) alert tcp $HOME_NET any -> [2.56.62.44] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200839; rev:1;) alert tcp $HOME_NET any -> [128.90.115.47] 3470 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200840; rev:1;) alert tcp $HOME_NET any -> [185.19.85.149] 6667 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200841; rev:1;) alert tcp $HOME_NET any -> [188.116.36.154] 443 (msg:"SSLBL: Traffic to malicious host (likely Ostap C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200842; rev:1;) alert tcp $HOME_NET any -> [8.208.102.117] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200843; rev:1;) alert tcp $HOME_NET any -> [45.128.207.226] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200844; rev:1;) alert tcp $HOME_NET any -> [91.109.176.2] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200845; rev:1;) alert tcp $HOME_NET any -> [139.155.245.29] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200846; rev:1;) alert tcp $HOME_NET any -> [103.214.165.213] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200847; rev:1;) alert tcp $HOME_NET any -> [93.114.128.73] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200848; rev:1;) alert tcp $HOME_NET any -> [142.93.7.219] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200849; rev:1;) alert tcp $HOME_NET any -> [192.253.244.137] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200850; rev:1;) alert tcp $HOME_NET any -> [45.147.230.131] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200851; rev:1;) alert tcp $HOME_NET any -> [46.173.218.209] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200852; rev:1;) alert tcp $HOME_NET any -> [118.107.41.104] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200853; rev:1;) alert tcp $HOME_NET any -> [118.89.139.166] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200854; rev:1;) alert tcp $HOME_NET any -> [18.188.194.80] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200855; rev:1;) alert tcp $HOME_NET any -> [54.245.74.151] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200856; rev:1;) alert tcp $HOME_NET any -> [156.96.47.42] 586 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200857; rev:1;) alert tcp $HOME_NET any -> [193.218.118.190] 2407 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200858; rev:1;) alert tcp $HOME_NET any -> [185.183.96.173] 443 (msg:"SSLBL: Traffic to malicious host (likely Ostap C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200859; rev:1;) alert tcp $HOME_NET any -> [134.19.177.55] 4040 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200860; rev:1;) alert tcp $HOME_NET any -> [101.32.183.30] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200861; rev:1;) alert tcp $HOME_NET any -> [79.134.225.15] 43360 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200862; rev:1;) alert tcp $HOME_NET any -> [194.5.97.130] 5050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200863; rev:1;) alert tcp $HOME_NET any -> [103.27.237.75] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200864; rev:1;) alert tcp $HOME_NET any -> [34.221.202.231] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200865; rev:1;) alert tcp $HOME_NET any -> [3.137.180.197] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200866; rev:1;) alert tcp $HOME_NET any -> [185.165.153.249] 4571 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200867; rev:1;) alert tcp $HOME_NET any -> [192.253.244.137] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200868; rev:1;) alert tcp $HOME_NET any -> [37.120.208.36] 49714 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200869; rev:1;) alert tcp $HOME_NET any -> [222.114.199.209] 5050 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200870; rev:1;) alert tcp $HOME_NET any -> [8.208.76.109] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200871; rev:1;) alert tcp $HOME_NET any -> [3.15.221.20] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200872; rev:1;) alert tcp $HOME_NET any -> [139.59.230.84] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200873; rev:1;) alert tcp $HOME_NET any -> [101.32.97.85] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200874; rev:1;) alert tcp $HOME_NET any -> [101.32.97.85] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200875; rev:1;) alert tcp $HOME_NET any -> [185.244.30.24] 8913 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200876; rev:1;) alert tcp $HOME_NET any -> [34.205.89.33] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200877; rev:1;) alert tcp $HOME_NET any -> [52.34.17.37] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200878; rev:1;) alert tcp $HOME_NET any -> [47.254.169.137] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200879; rev:1;) alert tcp $HOME_NET any -> [128.90.115.217] 3470 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200880; rev:1;) alert tcp $HOME_NET any -> [54.162.201.128] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200881; rev:1;) alert tcp $HOME_NET any -> [3.81.126.82] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200882; rev:1;) alert tcp $HOME_NET any -> [18.207.182.253] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200883; rev:1;) alert tcp $HOME_NET any -> [3.235.164.215] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200884; rev:1;) alert tcp $HOME_NET any -> [45.128.207.41] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200885; rev:1;) alert tcp $HOME_NET any -> [35.160.125.254] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200886; rev:1;) alert tcp $HOME_NET any -> [13.58.213.252] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200887; rev:1;) alert tcp $HOME_NET any -> [52.12.203.202] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200888; rev:1;) alert tcp $HOME_NET any -> [79.134.225.5] 1221 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200889; rev:1;) alert tcp $HOME_NET any -> [79.134.225.83] 8913 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200890; rev:1;) alert tcp $HOME_NET any -> [202.182.121.93] 5050 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200891; rev:1;) alert tcp $HOME_NET any -> [47.254.26.204] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200892; rev:1;) alert tcp $HOME_NET any -> [45.128.207.185] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200893; rev:1;) alert tcp $HOME_NET any -> [178.79.179.200] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200894; rev:1;) alert tcp $HOME_NET any -> [79.134.225.40] 6970 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200895; rev:1;) alert tcp $HOME_NET any -> [54.175.34.120] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200896; rev:1;) alert tcp $HOME_NET any -> [18.209.104.208] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200897; rev:1;) alert tcp $HOME_NET any -> [185.165.153.140] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200898; rev:1;) alert tcp $HOME_NET any -> [161.117.254.2] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200899; rev:1;) alert tcp $HOME_NET any -> [205.185.113.54] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200900; rev:1;) alert tcp $HOME_NET any -> [191.88.254.193] 1880 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200901; rev:1;) alert tcp $HOME_NET any -> [172.98.192.91] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200902; rev:1;) alert tcp $HOME_NET any -> [178.33.222.241] 2703 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200903; rev:1;) alert tcp $HOME_NET any -> [185.165.153.251] 5050 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200904; rev:1;) alert tcp $HOME_NET any -> [185.140.53.132] 7799 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200905; rev:1;) alert tcp $HOME_NET any -> [23.105.131.174] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200906; rev:1;) alert tcp $HOME_NET any -> [79.134.225.92] 49746 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200907; rev:1;) alert tcp $HOME_NET any -> [79.134.225.99] 4449 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200908; rev:1;) alert tcp $HOME_NET any -> [178.33.222.241] 49746 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200909; rev:1;) alert tcp $HOME_NET any -> [217.8.117.17] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200910; rev:1;) alert tcp $HOME_NET any -> [31.220.4.216] 7010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200911; rev:1;) alert tcp $HOME_NET any -> [104.161.77.84] 7788 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200912; rev:1;) alert tcp $HOME_NET any -> [185.150.117.63] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200913; rev:1;) alert tcp $HOME_NET any -> [194.5.97.21] 7788 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200914; rev:1;) alert tcp $HOME_NET any -> [188.166.220.127] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200915; rev:1;) alert tcp $HOME_NET any -> [46.166.161.159] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200916; rev:1;) alert tcp $HOME_NET any -> [46.166.129.195] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200917; rev:1;) alert tcp $HOME_NET any -> [164.90.153.241] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200918; rev:1;) alert tcp $HOME_NET any -> [18.222.171.22] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200919; rev:1;) alert tcp $HOME_NET any -> [137.117.241.192] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200920; rev:1;) alert tcp $HOME_NET any -> [92.38.149.158] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200921; rev:1;) alert tcp $HOME_NET any -> [134.19.177.55] 3040 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200922; rev:1;) alert tcp $HOME_NET any -> [91.193.75.18] 1313 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200923; rev:1;) alert tcp $HOME_NET any -> [79.134.225.16] 8891 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200924; rev:1;) alert tcp $HOME_NET any -> [94.156.35.109] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200925; rev:1;) alert tcp $HOME_NET any -> [104.168.175.192] 444 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200926; rev:1;) alert tcp $HOME_NET any -> [43.242.201.222] 8443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200927; rev:1;) alert tcp $HOME_NET any -> [91.193.75.225] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200928; rev:1;) alert tcp $HOME_NET any -> [185.244.30.167] 2256 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200929; rev:1;) alert tcp $HOME_NET any -> [5.188.0.82] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200930; rev:1;) alert tcp $HOME_NET any -> [91.193.75.28] 2190 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200931; rev:1;) alert tcp $HOME_NET any -> [79.134.225.73] 5610 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200932; rev:1;) alert tcp $HOME_NET any -> [185.140.53.138] 1382 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200933; rev:1;) alert tcp $HOME_NET any -> [185.231.113.131] 2016 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200934; rev:1;) alert tcp $HOME_NET any -> [103.207.39.83] 1024 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200935; rev:1;) alert tcp $HOME_NET any -> [91.193.75.171] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200936; rev:1;) alert tcp $HOME_NET any -> [194.5.97.23] 9321 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200937; rev:1;) alert tcp $HOME_NET any -> [91.193.75.35] 1690 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200938; rev:1;) alert tcp $HOME_NET any -> [54.37.36.116] 7866 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200939; rev:1;) alert tcp $HOME_NET any -> [79.134.225.84] 20904 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200940; rev:1;) alert tcp $HOME_NET any -> [66.42.39.79] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200941; rev:1;) alert tcp $HOME_NET any -> [51.116.230.173] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200942; rev:1;) alert tcp $HOME_NET any -> [179.14.12.213] 8050 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200943; rev:1;) alert tcp $HOME_NET any -> [185.140.53.132] 6868 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200944; rev:1;) alert tcp $HOME_NET any -> [194.5.97.15] 8824 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200945; rev:1;) alert tcp $HOME_NET any -> [79.134.225.107] 20923 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200946; rev:1;) alert tcp $HOME_NET any -> [134.19.177.55] 2020 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200947; rev:1;) alert tcp $HOME_NET any -> [194.5.97.245] 4575 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200948; rev:1;) alert tcp $HOME_NET any -> [128.90.108.105] 3468 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200949; rev:1;) alert tcp $HOME_NET any -> [79.134.225.85] 1515 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200950; rev:1;) alert tcp $HOME_NET any -> [128.90.115.32] 3468 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200951; rev:1;) alert tcp $HOME_NET any -> [185.140.53.145] 2558 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200952; rev:1;) alert tcp $HOME_NET any -> [185.140.53.220] 20986 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200953; rev:1;) alert tcp $HOME_NET any -> [128.90.115.83] 3468 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200954; rev:1;) alert tcp $HOME_NET any -> [185.244.30.201] 4575 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200955; rev:1;) alert tcp $HOME_NET any -> [185.244.30.130] 20904 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200956; rev:1;) alert tcp $HOME_NET any -> [37.48.92.195] 2507 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200957; rev:1;) alert tcp $HOME_NET any -> [104.131.33.128] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200958; rev:1;) alert tcp $HOME_NET any -> [185.165.153.43] 5007 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200959; rev:1;) alert tcp $HOME_NET any -> [185.140.53.132] 5484 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200960; rev:1;) alert tcp $HOME_NET any -> [128.90.115.150] 3468 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200961; rev:1;) alert tcp $HOME_NET any -> [77.48.28.230] 20986 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200962; rev:1;) alert tcp $HOME_NET any -> [79.134.225.111] 1506 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200963; rev:1;) alert tcp $HOME_NET any -> [185.193.127.203] 6000 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200964; rev:1;) alert tcp $HOME_NET any -> [91.193.181.158] 443 (msg:"SSLBL: Traffic to malicious host (likely Ostap C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200965; rev:1;) alert tcp $HOME_NET any -> [185.140.53.68] 1515 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200966; rev:1;) alert tcp $HOME_NET any -> [185.140.53.135] 5484 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200967; rev:1;) alert tcp $HOME_NET any -> [5.149.253.199] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200968; rev:1;) alert tcp $HOME_NET any -> [185.165.153.116] 7866 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200969; rev:1;) alert tcp $HOME_NET any -> [79.134.225.78] 5007 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200970; rev:1;) alert tcp $HOME_NET any -> [128.90.115.41] 3468 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200971; rev:1;) alert tcp $HOME_NET any -> [128.90.115.45] 3468 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200972; rev:1;) alert tcp $HOME_NET any -> [194.5.97.33] 5200 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200973; rev:1;) alert tcp $HOME_NET any -> [128.90.115.237] 3468 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200974; rev:1;) alert tcp $HOME_NET any -> [64.227.103.18] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200975; rev:1;) alert tcp $HOME_NET any -> [45.66.250.145] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200976; rev:1;) alert tcp $HOME_NET any -> [45.143.223.34] 3218 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200977; rev:1;) alert tcp $HOME_NET any -> [185.157.162.81] 9980 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200978; rev:1;) alert tcp $HOME_NET any -> [185.140.53.9] 7003 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200979; rev:1;) alert tcp $HOME_NET any -> [192.119.80.53] 4576 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200980; rev:1;) alert tcp $HOME_NET any -> [23.163.0.37] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200981; rev:1;) alert tcp $HOME_NET any -> [185.140.53.7] 2786 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200982; rev:1;) alert tcp $HOME_NET any -> [161.35.174.89] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200983; rev:1;) alert tcp $HOME_NET any -> [157.245.164.207] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200984; rev:1;) alert tcp $HOME_NET any -> [103.89.91.6] 20902 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200985; rev:1;) alert tcp $HOME_NET any -> [79.134.225.84] 3454 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200986; rev:1;) alert tcp $HOME_NET any -> [185.165.153.32] 8824 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200987; rev:1;) alert tcp $HOME_NET any -> [185.165.153.209] 1990 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200988; rev:1;) alert tcp $HOME_NET any -> [185.157.162.81] 20058 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200989; rev:1;) alert tcp $HOME_NET any -> [45.11.19.57] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200990; rev:1;) alert tcp $HOME_NET any -> [194.87.18.22] 2382 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200991; rev:1;) alert tcp $HOME_NET any -> [185.165.153.173] 20986 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200992; rev:1;) alert tcp $HOME_NET any -> [194.5.97.33] 1616 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200993; rev:1;) alert tcp $HOME_NET any -> [138.197.175.96] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200994; rev:1;) alert tcp $HOME_NET any -> [194.5.249.199] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200995; rev:1;) alert tcp $HOME_NET any -> [182.92.202.24] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200996; rev:1;) alert tcp $HOME_NET any -> [194.5.97.11] 27031 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200997; rev:1;) alert tcp $HOME_NET any -> [194.5.249.11] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200998; rev:1;) alert tcp $HOME_NET any -> [134.209.160.222] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200999; rev:1;) alert tcp $HOME_NET any -> [160.20.145.14] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201000; rev:1;) alert tcp $HOME_NET any -> [109.248.11.131] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201001; rev:1;) alert tcp $HOME_NET any -> [85.143.223.5] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201002; rev:1;) alert tcp $HOME_NET any -> [89.40.181.108] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201003; rev:1;) alert tcp $HOME_NET any -> [185.140.53.142] 20986 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201004; rev:1;) alert tcp $HOME_NET any -> [217.12.218.199] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201005; rev:1;) alert tcp $HOME_NET any -> [206.189.164.25] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201006; rev:1;) alert tcp $HOME_NET any -> [5.34.180.91] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201007; rev:1;) alert tcp $HOME_NET any -> [160.20.145.14] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201008; rev:1;) alert tcp $HOME_NET any -> [192.243.59.13] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201009; rev:1;) alert tcp $HOME_NET any -> [185.19.85.155] 2327 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201010; rev:1;) alert tcp $HOME_NET any -> [185.165.153.116] 7896 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201011; rev:1;) alert tcp $HOME_NET any -> [79.134.225.55] 9654 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201012; rev:1;) alert tcp $HOME_NET any -> [159.89.174.73] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201013; rev:1;) alert tcp $HOME_NET any -> [194.5.249.184] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201014; rev:1;) alert tcp $HOME_NET any -> [217.195.153.131] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201015; rev:1;) alert tcp $HOME_NET any -> [79.134.225.51] 2211 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201016; rev:1;) alert tcp $HOME_NET any -> [87.251.70.44] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201017; rev:1;) alert tcp $HOME_NET any -> [194.5.97.4] 8824 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201018; rev:1;) alert tcp $HOME_NET any -> [193.38.51.60] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201019; rev:1;) alert tcp $HOME_NET any -> [51.15.136.48] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201020; rev:1;) alert tcp $HOME_NET any -> [172.111.200.225] 5842 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201021; rev:1;) alert tcp $HOME_NET any -> [192.145.125.42] 4430 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201022; rev:1;) alert tcp $HOME_NET any -> [134.209.191.228] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201023; rev:1;) alert tcp $HOME_NET any -> [111.90.146.85] 1730 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201024; rev:1;) alert tcp $HOME_NET any -> [185.33.86.54] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201025; rev:1;) alert tcp $HOME_NET any -> [45.66.250.228] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201026; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 30986 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201027; rev:1;) alert tcp $HOME_NET any -> [194.187.249.152] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201028; rev:1;) alert tcp $HOME_NET any -> [37.48.92.195] 1104 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201029; rev:1;) alert tcp $HOME_NET any -> [138.68.50.71] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201030; rev:1;) alert tcp $HOME_NET any -> [194.5.249.122] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201031; rev:1;) alert tcp $HOME_NET any -> [194.5.97.23] 8824 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201032; rev:1;) alert tcp $HOME_NET any -> [91.193.75.59] 20058 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201033; rev:1;) alert tcp $HOME_NET any -> [185.140.53.17] 2211 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201034; rev:1;) alert tcp $HOME_NET any -> [164.90.220.32] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201035; rev:1;) alert tcp $HOME_NET any -> [185.140.53.217] 2123 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201036; rev:1;) alert tcp $HOME_NET any -> [216.230.73.22] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201037; rev:1;) alert tcp $HOME_NET any -> [144.168.224.152] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201038; rev:1;) alert tcp $HOME_NET any -> [45.66.250.229] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201039; rev:1;) alert tcp $HOME_NET any -> [45.66.250.16] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201040; rev:1;) alert tcp $HOME_NET any -> [37.49.230.113] 3281 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201041; rev:1;) alert tcp $HOME_NET any -> [37.49.230.113] 1524 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201042; rev:1;) alert tcp $HOME_NET any -> [194.5.97.58] 20923 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201043; rev:1;) alert tcp $HOME_NET any -> [37.120.146.7] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201044; rev:1;) alert tcp $HOME_NET any -> [103.153.76.133] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201045; rev:1;) alert tcp $HOME_NET any -> [51.75.155.78] 8595 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201046; rev:1;) alert tcp $HOME_NET any -> [95.211.170.243] 1576 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201047; rev:1;) alert tcp $HOME_NET any -> [157.230.17.102] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201048; rev:1;) alert tcp $HOME_NET any -> [146.0.77.108] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201049; rev:1;) alert tcp $HOME_NET any -> [172.94.47.80] 4411 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201050; rev:1;) alert tcp $HOME_NET any -> [82.102.28.107] 62727 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201051; rev:1;) alert tcp $HOME_NET any -> [194.5.98.81] 3434 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201052; rev:1;) alert tcp $HOME_NET any -> [116.203.55.94] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201053; rev:1;) alert tcp $HOME_NET any -> [2.56.214.165] 1234 (msg:"SSLBL: Traffic to malicious host (likely NanoCore C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201054; rev:1;) alert tcp $HOME_NET any -> [140.82.33.50] 4784 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201055; rev:1;) alert tcp $HOME_NET any -> [37.120.146.107] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201056; rev:1;) alert tcp $HOME_NET any -> [161.35.100.78] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201057; rev:1;) alert tcp $HOME_NET any -> [107.148.200.130] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201058; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 46300 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201059; rev:1;) alert tcp $HOME_NET any -> [45.153.240.101] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201060; rev:1;) alert tcp $HOME_NET any -> [103.151.122.113] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201061; rev:1;) alert tcp $HOME_NET any -> [194.5.98.95] 6970 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201062; rev:1;) alert tcp $HOME_NET any -> [178.238.8.65] 5055 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201063; rev:1;) alert tcp $HOME_NET any -> [194.5.249.158] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201064; rev:1;) alert tcp $HOME_NET any -> [128.90.108.78] 3468 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201065; rev:1;) alert tcp $HOME_NET any -> [91.234.99.15] 443 (msg:"SSLBL: Traffic to malicious host (likely DiamondFox C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201066; rev:1;) alert tcp $HOME_NET any -> [139.59.56.38] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201067; rev:1;) alert tcp $HOME_NET any -> [188.172.80.161] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201068; rev:1;) alert tcp $HOME_NET any -> [128.90.108.74] 3468 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201069; rev:1;) alert tcp $HOME_NET any -> [63.209.33.1] 25980 (msg:"SSLBL: Traffic to malicious host (likely NanoCore C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201070; rev:1;) alert tcp $HOME_NET any -> [181.52.111.14] 1881 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201071; rev:1;) alert tcp $HOME_NET any -> [185.140.53.130] 6996 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201072; rev:1;) alert tcp $HOME_NET any -> [128.90.108.26] 3468 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201073; rev:1;) alert tcp $HOME_NET any -> [51.161.96.106] 3001 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201074; rev:1;) alert tcp $HOME_NET any -> [51.161.96.106] 3001 (msg:"SSLBL: Traffic to malicious host (likely NanoCore C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201075; rev:1;) alert tcp $HOME_NET any -> [23.254.118.153] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201076; rev:1;) alert tcp $HOME_NET any -> [188.130.138.207] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201077; rev:1;) alert tcp $HOME_NET any -> [142.202.240.110] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201078; rev:1;) alert tcp $HOME_NET any -> [185.22.152.19] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201079; rev:1;) alert tcp $HOME_NET any -> [91.109.176.4] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201080; rev:1;) alert tcp $HOME_NET any -> [51.210.87.65] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201081; rev:1;) alert tcp $HOME_NET any -> [45.153.240.153] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201082; rev:1;) alert tcp $HOME_NET any -> [128.90.108.246] 3468 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201083; rev:1;) alert tcp $HOME_NET any -> [91.193.75.93] 20987 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201084; rev:1;) alert tcp $HOME_NET any -> [185.140.53.219] 8891 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201085; rev:1;) alert tcp $HOME_NET any -> [37.49.224.150] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201086; rev:1;) alert tcp $HOME_NET any -> [5.101.51.133] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201087; rev:1;) alert tcp $HOME_NET any -> [45.66.250.148] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201088; rev:1;) alert tcp $HOME_NET any -> [151.106.19.145] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201089; rev:1;) alert tcp $HOME_NET any -> [84.38.183.161] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201090; rev:1;) alert tcp $HOME_NET any -> [194.5.97.49] 6970 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201091; rev:1;) alert tcp $HOME_NET any -> [128.90.108.56] 3468 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201092; rev:1;) alert tcp $HOME_NET any -> [191.101.130.42] 9931 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201093; rev:1;) alert tcp $HOME_NET any -> [194.5.98.8] 8824 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201094; rev:1;) alert tcp $HOME_NET any -> [149.255.35.92] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201095; rev:1;) alert tcp $HOME_NET any -> [79.134.225.111] 7071 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201096; rev:1;) alert tcp $HOME_NET any -> [206.123.129.103] 5456 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201097; rev:1;) alert tcp $HOME_NET any -> [46.101.163.251] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201098; rev:1;) alert tcp $HOME_NET any -> [188.120.255.249] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201099; rev:1;) alert tcp $HOME_NET any -> [194.5.249.109] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201100; rev:1;) alert tcp $HOME_NET any -> [35.241.200.200] 10132 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201101; rev:1;) alert tcp $HOME_NET any -> [188.120.255.141] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201102; rev:1;) alert tcp $HOME_NET any -> [185.136.165.173] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201103; rev:1;) alert tcp $HOME_NET any -> [91.245.227.46] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201104; rev:1;) alert tcp $HOME_NET any -> [37.49.224.15] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201105; rev:1;) alert tcp $HOME_NET any -> [185.140.53.11] 9845 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201106; rev:1;) alert tcp $HOME_NET any -> [84.38.181.209] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201107; rev:1;) alert tcp $HOME_NET any -> [37.49.230.114] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201108; rev:1;) alert tcp $HOME_NET any -> [128.90.105.130] 3468 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201109; rev:1;) alert tcp $HOME_NET any -> [185.33.85.47] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201110; rev:1;) alert tcp $HOME_NET any -> [45.143.222.153] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201111; rev:1;) alert tcp $HOME_NET any -> [37.49.230.211] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201112; rev:1;) alert tcp $HOME_NET any -> [192.186.183.150] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201113; rev:1;) alert tcp $HOME_NET any -> [37.230.131.83] 9524 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201114; rev:1;) alert tcp $HOME_NET any -> [8.209.102.67] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201115; rev:1;) alert tcp $HOME_NET any -> [80.85.157.34] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201116; rev:1;) alert tcp $HOME_NET any -> [45.147.231.229] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201117; rev:1;) alert tcp $HOME_NET any -> [188.241.58.228] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201118; rev:1;) alert tcp $HOME_NET any -> [165.227.64.184] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201119; rev:1;) alert tcp $HOME_NET any -> [128.90.112.213] 3468 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201120; rev:1;) alert tcp $HOME_NET any -> [5.188.4.174] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201121; rev:1;) alert tcp $HOME_NET any -> [185.33.234.204] 4784 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201122; rev:1;) alert tcp $HOME_NET any -> [185.118.167.4] 8485 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201123; rev:1;) alert tcp $HOME_NET any -> [80.249.146.15] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201124; rev:1;) alert tcp $HOME_NET any -> [128.90.105.75] 3468 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201125; rev:1;) alert tcp $HOME_NET any -> [79.141.166.229] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201126; rev:1;) alert tcp $HOME_NET any -> [51.15.21.149] 8080 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201127; rev:1;) alert tcp $HOME_NET any -> [47.254.177.197] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201128; rev:1;) alert tcp $HOME_NET any -> [128.90.107.110] 3468 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201129; rev:1;) alert tcp $HOME_NET any -> [161.35.145.71] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201130; rev:1;) alert tcp $HOME_NET any -> [66.228.45.248] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201131; rev:1;) alert tcp $HOME_NET any -> [117.3.216.38] 3589 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201132; rev:1;) alert tcp $HOME_NET any -> [104.168.173.141] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201133; rev:1;) alert tcp $HOME_NET any -> [188.225.78.105] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201134; rev:1;) alert tcp $HOME_NET any -> [178.62.90.125] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201135; rev:1;) alert tcp $HOME_NET any -> [37.49.230.254] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201136; rev:1;) alert tcp $HOME_NET any -> [128.90.112.128] 3468 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201137; rev:1;) alert tcp $HOME_NET any -> [128.90.112.171] 3468 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201138; rev:1;) alert tcp $HOME_NET any -> [45.153.241.126] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201139; rev:1;) alert tcp $HOME_NET any -> [185.140.53.21] 8991 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201140; rev:1;) alert tcp $HOME_NET any -> [37.49.230.14] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201141; rev:1;) alert tcp $HOME_NET any -> [216.218.208.114] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201142; rev:1;) alert tcp $HOME_NET any -> [103.138.108.193] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201143; rev:1;) alert tcp $HOME_NET any -> [62.108.37.200] 4242 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201144; rev:1;) alert tcp $HOME_NET any -> [84.38.180.246] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201145; rev:1;) alert tcp $HOME_NET any -> [185.140.53.6] 270 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201146; rev:1;) alert tcp $HOME_NET any -> [94.100.18.64] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201147; rev:1;) alert tcp $HOME_NET any -> [161.35.228.142] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201148; rev:1;) alert tcp $HOME_NET any -> [79.134.225.19] 5812 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201149; rev:1;) alert tcp $HOME_NET any -> [128.90.112.11] 3468 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201150; rev:1;) alert tcp $HOME_NET any -> [103.151.122.193] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201151; rev:1;) alert tcp $HOME_NET any -> [8.210.57.151] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201152; rev:1;) alert tcp $HOME_NET any -> [37.49.230.86] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201153; rev:1;) alert tcp $HOME_NET any -> [80.249.145.100] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201154; rev:1;) alert tcp $HOME_NET any -> [167.172.216.222] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201155; rev:1;) alert tcp $HOME_NET any -> [103.89.91.6] 20197 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201156; rev:1;) alert tcp $HOME_NET any -> [185.205.210.87] 4848 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201157; rev:1;) alert tcp $HOME_NET any -> [182.92.225.203] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201158; rev:1;) alert tcp $HOME_NET any -> [185.140.53.247] 4723 (msg:"SSLBL: Traffic to malicious host (likely NanoCore C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201159; rev:1;) alert tcp $HOME_NET any -> [194.5.97.24] 6669 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201160; rev:1;) alert tcp $HOME_NET any -> [5.188.228.46] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201161; rev:1;) alert tcp $HOME_NET any -> [157.245.96.68] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201162; rev:1;) alert tcp $HOME_NET any -> [23.227.207.140] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201163; rev:1;) alert tcp $HOME_NET any -> [37.49.230.134] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201164; rev:1;) alert tcp $HOME_NET any -> [74.91.115.145] 9825 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201165; rev:1;) alert tcp $HOME_NET any -> [80.249.144.38] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201166; rev:1;) alert tcp $HOME_NET any -> [79.134.225.19] 8301 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201167; rev:1;) alert tcp $HOME_NET any -> [185.105.1.165] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201168; rev:1;) alert tcp $HOME_NET any -> [159.65.147.133] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201169; rev:1;) alert tcp $HOME_NET any -> [37.49.230.147] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201170; rev:1;) alert tcp $HOME_NET any -> [8.208.26.123] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201171; rev:1;) alert tcp $HOME_NET any -> [167.71.227.19] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201172; rev:1;) alert tcp $HOME_NET any -> [193.38.55.44] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201173; rev:1;) alert tcp $HOME_NET any -> [134.209.204.246] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201174; rev:1;) alert tcp $HOME_NET any -> [156.255.3.231] 444 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201175; rev:1;) alert tcp $HOME_NET any -> [82.53.78.66] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201176; rev:1;) alert tcp $HOME_NET any -> [45.143.222.212] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201177; rev:1;) alert tcp $HOME_NET any -> [185.105.1.161] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201178; rev:1;) alert tcp $HOME_NET any -> [159.203.61.77] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201179; rev:1;) alert tcp $HOME_NET any -> [94.100.18.83] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201180; rev:1;) alert tcp $HOME_NET any -> [79.134.225.82] 54280 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201181; rev:1;) alert tcp $HOME_NET any -> [84.194.102.183] 5781 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201182; rev:1;) alert tcp $HOME_NET any -> [79.134.225.125] 1515 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201183; rev:1;) alert tcp $HOME_NET any -> [185.19.85.161] 3109 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201184; rev:1;) alert tcp $HOME_NET any -> [84.38.183.213] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201185; rev:1;) alert tcp $HOME_NET any -> [51.195.35.9] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201186; rev:1;) alert tcp $HOME_NET any -> [80.249.147.138] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201187; rev:1;) alert tcp $HOME_NET any -> [47.241.35.230] 3333 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201188; rev:1;) alert tcp $HOME_NET any -> [176.107.177.67] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201189; rev:1;) alert tcp $HOME_NET any -> [172.94.19.67] 8482 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201190; rev:1;) alert tcp $HOME_NET any -> [178.128.213.80] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201191; rev:1;) alert tcp $HOME_NET any -> [185.82.126.221] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201192; rev:1;) alert tcp $HOME_NET any -> [193.203.50.51] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201193; rev:1;) alert tcp $HOME_NET any -> [84.38.182.236] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201194; rev:1;) alert tcp $HOME_NET any -> [188.68.220.80] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201195; rev:1;) alert tcp $HOME_NET any -> [45.143.222.142] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201196; rev:1;) alert tcp $HOME_NET any -> [142.93.149.145] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201197; rev:1;) alert tcp $HOME_NET any -> [45.147.230.85] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201198; rev:1;) alert tcp $HOME_NET any -> [23.227.196.40] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201199; rev:1;) alert tcp $HOME_NET any -> [45.113.2.107] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201200; rev:1;) alert tcp $HOME_NET any -> [167.172.149.139] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201201; rev:1;) alert tcp $HOME_NET any -> [188.68.221.93] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201202; rev:1;) alert tcp $HOME_NET any -> [37.72.175.220] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201203; rev:1;) alert tcp $HOME_NET any -> [79.143.31.33] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201204; rev:1;) alert tcp $HOME_NET any -> [64.227.105.16] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201205; rev:1;) alert tcp $HOME_NET any -> [192.243.59.20] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201206; rev:1;) alert tcp $HOME_NET any -> [35.188.83.68] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201207; rev:1;) alert tcp $HOME_NET any -> [192.243.59.12] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201208; rev:1;) alert tcp $HOME_NET any -> [45.32.137.86] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201209; rev:1;) alert tcp $HOME_NET any -> [80.249.146.167] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201210; rev:1;) alert tcp $HOME_NET any -> [185.244.30.250] 6204 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201211; rev:1;) alert tcp $HOME_NET any -> [161.35.84.5] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201212; rev:1;) alert tcp $HOME_NET any -> [83.171.238.25] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201213; rev:1;) alert tcp $HOME_NET any -> [51.254.178.24] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201214; rev:1;) alert tcp $HOME_NET any -> [198.50.252.31] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201215; rev:1;) alert tcp $HOME_NET any -> [89.207.129.43] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201216; rev:1;) alert tcp $HOME_NET any -> [37.49.224.176] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201217; rev:1;) alert tcp $HOME_NET any -> [185.176.222.156] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201218; rev:1;) alert tcp $HOME_NET any -> [185.244.213.103] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201219; rev:1;) alert tcp $HOME_NET any -> [45.89.175.154] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201220; rev:1;) alert tcp $HOME_NET any -> [118.24.214.63] 5613 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201221; rev:1;) alert tcp $HOME_NET any -> [160.124.140.146] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201222; rev:1;) alert tcp $HOME_NET any -> [84.38.180.125] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201223; rev:1;) alert tcp $HOME_NET any -> [148.0.135.30] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201224; rev:1;) alert tcp $HOME_NET any -> [185.141.33.69] 5052 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201225; rev:1;) alert tcp $HOME_NET any -> [185.65.202.58] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201226; rev:1;) alert tcp $HOME_NET any -> [62.108.35.175] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201227; rev:1;) alert tcp $HOME_NET any -> [194.5.250.184] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201228; rev:1;) alert tcp $HOME_NET any -> [194.5.98.98] 9980 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201229; rev:1;) alert tcp $HOME_NET any -> [94.100.18.43] 8443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201230; rev:1;) alert tcp $HOME_NET any -> [79.134.225.111] 1507 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201231; rev:1;) alert tcp $HOME_NET any -> [199.192.19.38] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201232; rev:1;) alert tcp $HOME_NET any -> [45.147.231.191] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201233; rev:1;) alert tcp $HOME_NET any -> [80.249.146.61] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201234; rev:1;) alert tcp $HOME_NET any -> [195.123.245.187] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201235; rev:1;) alert tcp $HOME_NET any -> [106.54.62.149] 15555 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201236; rev:1;) alert tcp $HOME_NET any -> [45.143.222.115] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201237; rev:1;) alert tcp $HOME_NET any -> [185.140.53.161] 7266 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201238; rev:1;) alert tcp $HOME_NET any -> [80.249.146.101] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201239; rev:1;) alert tcp $HOME_NET any -> [87.255.6.145] 5123 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201240; rev:1;) alert tcp $HOME_NET any -> [45.142.213.203] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201241; rev:1;) alert tcp $HOME_NET any -> [188.68.221.13] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201242; rev:1;) alert tcp $HOME_NET any -> [79.141.166.200] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201243; rev:1;) alert tcp $HOME_NET any -> [117.199.6.72] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201244; rev:1;) alert tcp $HOME_NET any -> [8.208.28.166] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201245; rev:1;) alert tcp $HOME_NET any -> [45.143.138.16] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201246; rev:1;) alert tcp $HOME_NET any -> [45.55.60.31] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201247; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 21254 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201248; rev:1;) alert tcp $HOME_NET any -> [194.135.93.234] 1349 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201249; rev:1;) alert tcp $HOME_NET any -> [31.184.254.46] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201250; rev:1;) alert tcp $HOME_NET any -> [8.209.79.24] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201251; rev:1;) alert tcp $HOME_NET any -> [157.245.169.70] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201252; rev:1;) alert tcp $HOME_NET any -> [87.255.6.145] 2005 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201253; rev:1;) alert tcp $HOME_NET any -> [185.140.53.219] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201254; rev:1;) alert tcp $HOME_NET any -> [161.35.24.186] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201255; rev:1;) alert tcp $HOME_NET any -> [95.216.251.222] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201256; rev:1;) alert tcp $HOME_NET any -> [80.249.145.124] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201257; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 48736 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201258; rev:1;) alert tcp $HOME_NET any -> [178.62.15.225] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201259; rev:1;) alert tcp $HOME_NET any -> [205.185.125.93] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201260; rev:1;) alert tcp $HOME_NET any -> [5.149.253.194] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201261; rev:1;) alert tcp $HOME_NET any -> [31.184.254.232] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201262; rev:1;) alert tcp $HOME_NET any -> [84.38.183.210] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201263; rev:1;) alert tcp $HOME_NET any -> [146.0.72.182] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201264; rev:1;) alert tcp $HOME_NET any -> [8.210.77.76] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201265; rev:1;) alert tcp $HOME_NET any -> [8.208.101.150] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201266; rev:1;) alert tcp $HOME_NET any -> [84.38.180.104] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201267; rev:1;) alert tcp $HOME_NET any -> [79.134.225.12] 4567 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201268; rev:1;) alert tcp $HOME_NET any -> [194.5.98.129] 5554 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201269; rev:1;) alert tcp $HOME_NET any -> [195.2.93.77] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201270; rev:1;) alert tcp $HOME_NET any -> [82.148.28.9] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201271; rev:1;) alert tcp $HOME_NET any -> [195.2.93.77] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201272; rev:1;) alert tcp $HOME_NET any -> [185.49.68.151] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201273; rev:1;) alert tcp $HOME_NET any -> [185.159.82.226] 443 (msg:"SSLBL: Traffic to malicious host (likely Ostap C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201274; rev:1;) alert tcp $HOME_NET any -> [107.173.171.162] 1738 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201275; rev:1;) alert tcp $HOME_NET any -> [80.249.146.7] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201276; rev:1;) alert tcp $HOME_NET any -> [185.236.203.192] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201277; rev:1;) alert tcp $HOME_NET any -> [87.255.6.145] 2004 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201278; rev:1;) alert tcp $HOME_NET any -> [93.190.93.29] 4242 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201279; rev:1;) alert tcp $HOME_NET any -> [8.209.96.17] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201280; rev:1;) alert tcp $HOME_NET any -> [45.89.175.151] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201281; rev:1;) alert tcp $HOME_NET any -> [103.147.185.105] 9242 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201282; rev:1;) alert tcp $HOME_NET any -> [46.21.147.169] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201283; rev:1;) alert tcp $HOME_NET any -> [8.209.99.58] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201284; rev:1;) alert tcp $HOME_NET any -> [159.89.139.204] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201285; rev:1;) alert tcp $HOME_NET any -> [159.65.103.89] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201286; rev:1;) alert tcp $HOME_NET any -> [165.22.26.177] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201287; rev:1;) alert tcp $HOME_NET any -> [188.215.229.20] 22 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201288; rev:1;) alert tcp $HOME_NET any -> [103.151.125.141] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201289; rev:1;) alert tcp $HOME_NET any -> [80.249.146.29] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201290; rev:1;) alert tcp $HOME_NET any -> [84.38.180.239] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201291; rev:1;) alert tcp $HOME_NET any -> [38.68.50.180] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201292; rev:1;) alert tcp $HOME_NET any -> [167.71.0.179] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201293; rev:1;) alert tcp $HOME_NET any -> [185.70.184.88] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201294; rev:1;) alert tcp $HOME_NET any -> [185.140.53.129] 7776 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201295; rev:1;) alert tcp $HOME_NET any -> [217.29.53.4] 443 (msg:"SSLBL: Traffic to malicious host (likely FindPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201296; rev:1;) alert tcp $HOME_NET any -> [47.254.242.30] 443 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201297; rev:1;) alert tcp $HOME_NET any -> [141.255.158.51] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201298; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 21985 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201299; rev:1;) alert tcp $HOME_NET any -> [84.38.183.116] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201300; rev:1;) alert tcp $HOME_NET any -> [45.67.230.56] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201301; rev:1;) alert tcp $HOME_NET any -> [139.60.161.209] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201302; rev:1;) alert tcp $HOME_NET any -> [185.161.208.94] 2222 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201303; rev:1;) alert tcp $HOME_NET any -> [89.105.197.14] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201304; rev:1;) alert tcp $HOME_NET any -> [79.134.225.49] 6970 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201305; rev:1;) alert tcp $HOME_NET any -> [23.227.199.112] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201306; rev:1;) alert tcp $HOME_NET any -> [92.204.160.40] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201307; rev:1;) alert tcp $HOME_NET any -> [64.225.65.166] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201308; rev:1;) alert tcp $HOME_NET any -> [38.132.124.231] 443 (msg:"SSLBL: Traffic to malicious host (likely GuLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201309; rev:1;) alert tcp $HOME_NET any -> [149.255.35.163] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201310; rev:1;) alert tcp $HOME_NET any -> [185.236.201.102] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201311; rev:1;) alert tcp $HOME_NET any -> [68.235.48.108] 6250 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201312; rev:1;) alert tcp $HOME_NET any -> [161.35.197.114] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201313; rev:1;) alert tcp $HOME_NET any -> [185.244.30.180] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201314; rev:1;) alert tcp $HOME_NET any -> [102.130.119.183] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201315; rev:1;) alert tcp $HOME_NET any -> [80.249.147.57] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201316; rev:1;) alert tcp $HOME_NET any -> [45.67.228.170] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201317; rev:1;) alert tcp $HOME_NET any -> [102.130.119.184] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201318; rev:1;) alert tcp $HOME_NET any -> [3.124.197.215] 3333 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201319; rev:1;) alert tcp $HOME_NET any -> [109.230.215.25] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201320; rev:1;) alert tcp $HOME_NET any -> [91.211.246.72] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201321; rev:1;) alert tcp $HOME_NET any -> [93.190.93.152] 4242 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201322; rev:1;) alert tcp $HOME_NET any -> [89.105.194.243] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201323; rev:1;) alert tcp $HOME_NET any -> [139.60.161.57] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201324; rev:1;) alert tcp $HOME_NET any -> [5.101.50.87] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201325; rev:1;) alert tcp $HOME_NET any -> [80.249.146.100] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201326; rev:1;) alert tcp $HOME_NET any -> [80.249.146.100] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201327; rev:1;) alert tcp $HOME_NET any -> [185.140.53.41] 5288 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201328; rev:1;) alert tcp $HOME_NET any -> [192.210.237.74] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201329; rev:1;) alert tcp $HOME_NET any -> [45.89.175.161] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201330; rev:1;) alert tcp $HOME_NET any -> [79.134.225.111] 1501 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201331; rev:1;) alert tcp $HOME_NET any -> [45.147.231.75] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201332; rev:1;) alert tcp $HOME_NET any -> [185.80.128.174] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201333; rev:1;) alert tcp $HOME_NET any -> [199.188.206.68] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201334; rev:1;) alert tcp $HOME_NET any -> [37.221.113.68] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201335; rev:1;) alert tcp $HOME_NET any -> [85.17.26.178] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201336; rev:1;) alert tcp $HOME_NET any -> [84.38.183.227] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201337; rev:1;) alert tcp $HOME_NET any -> [84.38.183.227] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201338; rev:1;) alert tcp $HOME_NET any -> [46.102.153.39] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201339; rev:1;) alert tcp $HOME_NET any -> [185.80.128.112] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201340; rev:1;) alert tcp $HOME_NET any -> [121.42.15.110] 8081 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201341; rev:1;) alert tcp $HOME_NET any -> [23.94.54.199] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201342; rev:1;) alert tcp $HOME_NET any -> [47.53.137.56] 1606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201343; rev:1;) alert tcp $HOME_NET any -> [139.59.28.82] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201344; rev:1;) alert tcp $HOME_NET any -> [5.206.225.37] 5566 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201345; rev:1;) alert tcp $HOME_NET any -> [3.8.93.207] 1337 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201346; rev:1;) alert tcp $HOME_NET any -> [46.21.147.240] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201347; rev:1;) alert tcp $HOME_NET any -> [185.34.52.17] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201348; rev:1;) alert tcp $HOME_NET any -> [79.143.30.10] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201349; rev:1;) alert tcp $HOME_NET any -> [45.66.250.161] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201350; rev:1;) alert tcp $HOME_NET any -> [31.24.224.7] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201351; rev:1;) alert tcp $HOME_NET any -> [167.86.118.236] 1604 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201352; rev:1;) alert tcp $HOME_NET any -> [84.38.180.26] 443 (msg:"SSLBL: Traffic to malicious host (likely DanaBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201353; rev:1;) alert tcp $HOME_NET any -> [178.62.16.209] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201354; rev:1;) alert tcp $HOME_NET any -> [34.70.172.237] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201355; rev:1;) alert tcp $HOME_NET any -> [216.38.8.169] 8153 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201356; rev:1;) alert tcp $HOME_NET any -> [185.41.154.105] 587 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201357; rev:1;) alert tcp $HOME_NET any -> [198.27.105.164] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201358; rev:1;) alert tcp $HOME_NET any -> [185.200.241.77] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201359; rev:1;) alert tcp $HOME_NET any -> [172.104.163.228] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201360; rev:1;) alert tcp $HOME_NET any -> [185.244.30.202] 2243 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201361; rev:1;) alert tcp $HOME_NET any -> [185.80.129.128] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201362; rev:1;) alert tcp $HOME_NET any -> [79.134.225.47] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201363; rev:1;) alert tcp $HOME_NET any -> [45.11.18.76] 5095 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201364; rev:1;) alert tcp $HOME_NET any -> [5.39.218.178] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201365; rev:1;) alert tcp $HOME_NET any -> [38.132.99.162] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201366; rev:1;) alert tcp $HOME_NET any -> [67.43.239.171] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201367; rev:1;) alert tcp $HOME_NET any -> [37.228.116.200] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201368; rev:1;) alert tcp $HOME_NET any -> [45.58.139.101] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201369; rev:1;) alert tcp $HOME_NET any -> [89.33.246.76] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201370; rev:1;) alert tcp $HOME_NET any -> [91.193.75.163] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201371; rev:1;) alert tcp $HOME_NET any -> [172.105.52.39] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201372; rev:1;) alert tcp $HOME_NET any -> [176.123.7.111] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201373; rev:1;) alert tcp $HOME_NET any -> [185.236.202.149] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201374; rev:1;) alert tcp $HOME_NET any -> [192.188.88.247] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201375; rev:1;) alert tcp $HOME_NET any -> [64.251.28.62] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201376; rev:1;) alert tcp $HOME_NET any -> [91.193.75.145] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201377; rev:1;) alert tcp $HOME_NET any -> [193.56.28.11] 7870 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201378; rev:1;) alert tcp $HOME_NET any -> [149.255.35.139] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201379; rev:1;) alert tcp $HOME_NET any -> [149.255.35.159] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201380; rev:1;) alert tcp $HOME_NET any -> [94.158.245.4] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201381; rev:1;) alert tcp $HOME_NET any -> [66.165.246.89] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201382; rev:1;) alert tcp $HOME_NET any -> [142.202.190.47] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201383; rev:1;) alert tcp $HOME_NET any -> [185.225.19.97] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201384; rev:1;) alert tcp $HOME_NET any -> [13.82.28.199] 4782 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201385; rev:1;) alert tcp $HOME_NET any -> [80.209.241.84] 56789 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201386; rev:1;) alert tcp $HOME_NET any -> [142.202.188.195] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201387; rev:1;) alert tcp $HOME_NET any -> [5.39.221.45] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201388; rev:1;) alert tcp $HOME_NET any -> [79.134.225.71] 2786 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201389; rev:1;) alert tcp $HOME_NET any -> [165.227.198.46] 443 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201390; rev:1;) alert tcp $HOME_NET any -> [91.218.66.231] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201391; rev:1;) alert tcp $HOME_NET any -> [46.17.98.48] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201392; rev:1;) alert tcp $HOME_NET any -> [47.241.116.77] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201393; rev:1;) alert tcp $HOME_NET any -> [23.254.229.35] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201394; rev:1;) alert tcp $HOME_NET any -> [5.39.221.50] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201395; rev:1;) alert tcp $HOME_NET any -> [45.32.128.100] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201396; rev:1;) alert tcp $HOME_NET any -> [142.202.188.216] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201397; rev:1;) alert tcp $HOME_NET any -> [167.114.12.200] 443 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201398; rev:1;) alert tcp $HOME_NET any -> [89.163.245.168] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201399; rev:1;) alert tcp $HOME_NET any -> [89.163.253.225] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201400; rev:1;) alert tcp $HOME_NET any -> [95.174.65.212] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201401; rev:1;) alert tcp $HOME_NET any -> [38.68.46.160] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201402; rev:1;) alert tcp $HOME_NET any -> [46.183.222.49] 6689 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201403; rev:1;) alert tcp $HOME_NET any -> [46.21.150.151] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201404; rev:1;) alert tcp $HOME_NET any -> [79.134.225.70] 2321 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201405; rev:1;) alert tcp $HOME_NET any -> [8.209.74.159] 443 (msg:"SSLBL: Traffic to malicious host (likely DanaBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201406; rev:1;) alert tcp $HOME_NET any -> [185.34.52.7] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201407; rev:1;) alert tcp $HOME_NET any -> [185.244.29.203] 9980 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201408; rev:1;) alert tcp $HOME_NET any -> [86.106.20.175] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201409; rev:1;) alert tcp $HOME_NET any -> [172.241.27.37] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201410; rev:1;) alert tcp $HOME_NET any -> [91.132.139.214] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201411; rev:1;) alert tcp $HOME_NET any -> [149.255.36.132] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201412; rev:1;) alert tcp $HOME_NET any -> [91.193.75.7] 1199 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201413; rev:1;) alert tcp $HOME_NET any -> [185.244.30.202] 1139 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201414; rev:1;) alert tcp $HOME_NET any -> [24.185.111.219] 54455 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201415; rev:1;) alert tcp $HOME_NET any -> [54.36.17.100] 5060 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201416; rev:1;) alert tcp $HOME_NET any -> [8.208.9.171] 443 (msg:"SSLBL: Traffic to malicious host (likely DanaBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201417; rev:1;) alert tcp $HOME_NET any -> [190.213.78.26] 5000 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201418; rev:1;) alert tcp $HOME_NET any -> [79.134.225.82] 2556 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201419; rev:1;) alert tcp $HOME_NET any -> [178.170.138.217] 3097 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201420; rev:1;) alert tcp $HOME_NET any -> [212.8.247.62] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201421; rev:1;) alert tcp $HOME_NET any -> [114.67.122.133] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201422; rev:1;) alert tcp $HOME_NET any -> [83.11.66.225] 1080 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201423; rev:1;) alert tcp $HOME_NET any -> [103.147.184.237] 5010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201424; rev:1;) alert tcp $HOME_NET any -> [91.218.66.231] 18888 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201425; rev:1;) alert tcp $HOME_NET any -> [79.134.225.102] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201426; rev:1;) alert tcp $HOME_NET any -> [47.106.209.173] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201427; rev:1;) alert tcp $HOME_NET any -> [37.120.140.133] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201428; rev:1;) alert tcp $HOME_NET any -> [24.31.167.44] 4444 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201429; rev:1;) alert tcp $HOME_NET any -> [185.163.45.109] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201430; rev:1;) alert tcp $HOME_NET any -> [91.92.144.29] 2088 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201431; rev:1;) alert tcp $HOME_NET any -> [47.241.2.255] 443 (msg:"SSLBL: Traffic to malicious host (likely DanaBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201432; rev:1;) alert tcp $HOME_NET any -> [45.32.128.117] 443 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201433; rev:1;) alert tcp $HOME_NET any -> [185.80.130.173] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201434; rev:1;) alert tcp $HOME_NET any -> [194.5.97.223] 6204 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201435; rev:1;) alert tcp $HOME_NET any -> [41.96.194.11] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201436; rev:1;) alert tcp $HOME_NET any -> [185.140.53.154] 2556 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201437; rev:1;) alert tcp $HOME_NET any -> [41.96.193.66] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201438; rev:1;) alert tcp $HOME_NET any -> [185.244.29.129] 9980 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201439; rev:1;) alert tcp $HOME_NET any -> [185.236.202.192] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201440; rev:1;) alert tcp $HOME_NET any -> [91.193.75.172] 6970 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201441; rev:1;) alert tcp $HOME_NET any -> [120.132.81.251] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201442; rev:1;) alert tcp $HOME_NET any -> [193.56.28.20] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201443; rev:1;) alert tcp $HOME_NET any -> [121.140.64.142] 1002 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201444; rev:1;) alert tcp $HOME_NET any -> [92.241.100.83] 25530 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201445; rev:1;) alert tcp $HOME_NET any -> [41.96.30.85] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201446; rev:1;) alert tcp $HOME_NET any -> [198.50.252.26] 1980 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201447; rev:1;) alert tcp $HOME_NET any -> [181.52.111.181] 8015 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201448; rev:1;) alert tcp $HOME_NET any -> [139.60.161.228] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201449; rev:1;) alert tcp $HOME_NET any -> [217.8.117.41] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201450; rev:1;) alert tcp $HOME_NET any -> [68.235.48.108] 6532 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201451; rev:1;) alert tcp $HOME_NET any -> [104.244.74.228] 7866 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201452; rev:1;) alert tcp $HOME_NET any -> [62.108.37.207] 5252 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201453; rev:1;) alert tcp $HOME_NET any -> [89.182.81.9] 3602 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201454; rev:1;) alert tcp $HOME_NET any -> [194.5.99.111] 17175 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201455; rev:1;) alert tcp $HOME_NET any -> [84.201.188.25] 7007 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201456; rev:1;) alert tcp $HOME_NET any -> [62.108.37.207] 5858 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201457; rev:1;) alert tcp $HOME_NET any -> [64.79.67.69] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201458; rev:1;) alert tcp $HOME_NET any -> [185.163.45.85] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201459; rev:1;) alert tcp $HOME_NET any -> [134.122.98.82] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201460; rev:1;) alert tcp $HOME_NET any -> [172.105.75.242] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201461; rev:1;) alert tcp $HOME_NET any -> [139.60.161.95] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201462; rev:1;) alert tcp $HOME_NET any -> [80.83.26.131] 66 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201463; rev:1;) alert tcp $HOME_NET any -> [84.51.52.166] 1002 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201464; rev:1;) alert tcp $HOME_NET any -> [91.211.245.161] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201465; rev:1;) alert tcp $HOME_NET any -> [193.37.214.127] 8891 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201466; rev:1;) alert tcp $HOME_NET any -> [103.147.184.237] 6060 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201467; rev:1;) alert tcp $HOME_NET any -> [8.208.83.31] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201468; rev:1;) alert tcp $HOME_NET any -> [79.134.225.70] 2333 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201469; rev:1;) alert tcp $HOME_NET any -> [41.96.152.168] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201470; rev:1;) alert tcp $HOME_NET any -> [5.45.71.35] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201471; rev:1;) alert tcp $HOME_NET any -> [185.70.184.82] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201472; rev:1;) alert tcp $HOME_NET any -> [62.108.37.206] 6060 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201473; rev:1;) alert tcp $HOME_NET any -> [91.132.139.206] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201474; rev:1;) alert tcp $HOME_NET any -> [185.163.45.194] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201475; rev:1;) alert tcp $HOME_NET any -> [91.193.75.9] 2487 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201476; rev:1;) alert tcp $HOME_NET any -> [139.99.122.112] 62 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201477; rev:1;) alert tcp $HOME_NET any -> [104.198.206.229] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201478; rev:1;) alert tcp $HOME_NET any -> [88.198.77.224] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201479; rev:1;) alert tcp $HOME_NET any -> [198.27.77.206] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201480; rev:1;) alert tcp $HOME_NET any -> [102.130.119.142] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201481; rev:1;) alert tcp $HOME_NET any -> [185.140.53.15] 7061 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201482; rev:1;) alert tcp $HOME_NET any -> [161.35.38.118] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201483; rev:1;) alert tcp $HOME_NET any -> [93.190.93.35] 5858 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201484; rev:1;) alert tcp $HOME_NET any -> [107.175.144.243] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201485; rev:1;) alert tcp $HOME_NET any -> [79.134.225.112] 37375 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201486; rev:1;) alert tcp $HOME_NET any -> [139.28.222.104] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201487; rev:1;) alert tcp $HOME_NET any -> [185.80.128.170] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201488; rev:1;) alert tcp $HOME_NET any -> [173.234.155.34] 6060 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201489; rev:1;) alert tcp $HOME_NET any -> [78.217.163.197] 1117 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201490; rev:1;) alert tcp $HOME_NET any -> [185.212.148.63] 1604 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201491; rev:1;) alert tcp $HOME_NET any -> [64.225.101.88] 443 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201492; rev:1;) alert tcp $HOME_NET any -> [185.165.153.215] 6606 (msg:"SSLBL: Traffic to malicious host (likely RevengeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201493; rev:1;) alert tcp $HOME_NET any -> [185.165.153.215] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201494; rev:1;) alert tcp $HOME_NET any -> [82.208.161.228] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201495; rev:1;) alert tcp $HOME_NET any -> [194.113.235.106] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201496; rev:1;) alert tcp $HOME_NET any -> [185.14.31.168] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201497; rev:1;) alert tcp $HOME_NET any -> [79.134.225.100] 45678 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201498; rev:1;) alert tcp $HOME_NET any -> [180.214.236.107] 6590 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201499; rev:1;) alert tcp $HOME_NET any -> [95.217.81.68] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201500; rev:1;) alert tcp $HOME_NET any -> [182.190.24.221] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201501; rev:1;) alert tcp $HOME_NET any -> [83.97.20.125] 442 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201502; rev:1;) alert tcp $HOME_NET any -> [161.117.87.168] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201503; rev:1;) alert tcp $HOME_NET any -> [104.248.138.198] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201504; rev:1;) alert tcp $HOME_NET any -> [34.222.222.126] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201505; rev:1;) alert tcp $HOME_NET any -> [91.193.75.49] 1952 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201506; rev:1;) alert tcp $HOME_NET any -> [51.15.21.149] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201507; rev:1;) alert tcp $HOME_NET any -> [103.242.134.79] 43 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201508; rev:1;) alert tcp $HOME_NET any -> [45.147.201.55] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201509; rev:1;) alert tcp $HOME_NET any -> [212.114.52.236] 9932 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201510; rev:1;) alert tcp $HOME_NET any -> [64.227.8.3] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201511; rev:1;) alert tcp $HOME_NET any -> [46.183.221.30] 6434 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201512; rev:1;) alert tcp $HOME_NET any -> [172.94.18.253] 6699 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201513; rev:1;) alert tcp $HOME_NET any -> [77.30.145.48] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201514; rev:1;) alert tcp $HOME_NET any -> [23.108.57.5] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201515; rev:1;) alert tcp $HOME_NET any -> [178.48.154.38] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201516; rev:1;) alert tcp $HOME_NET any -> [172.104.239.228] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201517; rev:1;) alert tcp $HOME_NET any -> [178.79.158.245] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201518; rev:1;) alert tcp $HOME_NET any -> [91.201.175.46] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201519; rev:1;) alert tcp $HOME_NET any -> [5.56.73.146] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201520; rev:1;) alert tcp $HOME_NET any -> [185.244.29.175] 7071 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201521; rev:1;) alert tcp $HOME_NET any -> [178.238.8.102] 8855 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201522; rev:1;) alert tcp $HOME_NET any -> [23.227.196.15] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201523; rev:1;) alert tcp $HOME_NET any -> [8.208.80.205] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201524; rev:1;) alert tcp $HOME_NET any -> [8.208.80.205] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201525; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 44137 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201526; rev:1;) alert tcp $HOME_NET any -> [185.140.53.161] 20982 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201527; rev:1;) alert tcp $HOME_NET any -> [194.5.97.75] 20987 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201528; rev:1;) alert tcp $HOME_NET any -> [80.83.26.132] 66 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201529; rev:1;) alert tcp $HOME_NET any -> [84.211.45.238] 1085 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201530; rev:1;) alert tcp $HOME_NET any -> [174.138.59.117] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201531; rev:1;) alert tcp $HOME_NET any -> [31.184.253.197] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201532; rev:1;) alert tcp $HOME_NET any -> [185.140.53.92] 2512 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201533; rev:1;) alert tcp $HOME_NET any -> [134.209.172.216] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201534; rev:1;) alert tcp $HOME_NET any -> [190.84.167.48] 1881 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201535; rev:1;) alert tcp $HOME_NET any -> [83.11.162.79] 1080 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201536; rev:1;) alert tcp $HOME_NET any -> [79.134.225.111] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201537; rev:1;) alert tcp $HOME_NET any -> [88.218.16.218] 443 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201538; rev:1;) alert tcp $HOME_NET any -> [144.217.211.203] 6714 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201539; rev:1;) alert tcp $HOME_NET any -> [194.5.97.14] 6204 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201540; rev:1;) alert tcp $HOME_NET any -> [104.237.252.50] 443 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201541; rev:1;) alert tcp $HOME_NET any -> [194.5.97.14] 7201 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201542; rev:1;) alert tcp $HOME_NET any -> [85.74.134.20] 4782 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201543; rev:1;) alert tcp $HOME_NET any -> [194.5.97.23] 7201 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201544; rev:1;) alert tcp $HOME_NET any -> [45.32.167.239] 6606 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201545; rev:1;) alert tcp $HOME_NET any -> [185.244.29.134] 7201 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201546; rev:1;) alert tcp $HOME_NET any -> [5.181.156.5] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201547; rev:1;) alert tcp $HOME_NET any -> [5.181.156.5] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201548; rev:1;) alert tcp $HOME_NET any -> [45.153.240.114] 5858 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201549; rev:1;) alert tcp $HOME_NET any -> [192.253.255.182] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201550; rev:1;) alert tcp $HOME_NET any -> [91.218.65.24] 8808 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201551; rev:1;) alert tcp $HOME_NET any -> [194.5.97.58] 20909 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201552; rev:1;) alert tcp $HOME_NET any -> [185.244.29.214] 7201 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201553; rev:1;) alert tcp $HOME_NET any -> [185.140.53.190] 586 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201554; rev:1;) alert tcp $HOME_NET any -> [3.17.10.122] 8780 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201555; rev:1;) alert tcp $HOME_NET any -> [94.239.225.11] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201556; rev:1;) alert tcp $HOME_NET any -> [185.140.53.175] 20209 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201557; rev:1;) alert tcp $HOME_NET any -> [194.5.97.75] 20982 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201558; rev:1;) alert tcp $HOME_NET any -> [194.5.97.120] 20986 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201559; rev:1;) alert tcp $HOME_NET any -> [185.140.53.161] 29060 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201560; rev:1;) alert tcp $HOME_NET any -> [46.183.221.31] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201561; rev:1;) alert tcp $HOME_NET any -> [185.140.53.196] 5679 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201562; rev:1;) alert tcp $HOME_NET any -> [185.244.30.71] 8364 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201563; rev:1;) alert tcp $HOME_NET any -> [46.17.96.46] 443 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201564; rev:1;) alert tcp $HOME_NET any -> [45.125.239.247] 6204 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201565; rev:1;) alert tcp $HOME_NET any -> [5.45.68.15] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201566; rev:1;) alert tcp $HOME_NET any -> [83.11.89.28] 1080 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201567; rev:1;) alert tcp $HOME_NET any -> [185.225.17.61] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201568; rev:1;) alert tcp $HOME_NET any -> [8.208.89.223] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201569; rev:1;) alert tcp $HOME_NET any -> [77.247.127.128] 8855 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201570; rev:1;) alert tcp $HOME_NET any -> [176.31.26.213] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201571; rev:1;) alert tcp $HOME_NET any -> [176.31.26.213] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201572; rev:1;) alert tcp $HOME_NET any -> [169.255.59.15] 443 (msg:"SSLBL: Traffic to malicious host (likely Loki C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201573; rev:1;) alert tcp $HOME_NET any -> [143.204.201.33] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201574; rev:1;) alert tcp $HOME_NET any -> [216.170.125.102] 3582 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201575; rev:1;) alert tcp $HOME_NET any -> [217.146.88.66] 9340 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201576; rev:1;) alert tcp $HOME_NET any -> [91.211.246.148] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201577; rev:1;) alert tcp $HOME_NET any -> [188.130.138.126] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201578; rev:1;) alert tcp $HOME_NET any -> [185.140.53.49] 1384 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201579; rev:1;) alert tcp $HOME_NET any -> [45.125.239.219] 6204 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201580; rev:1;) alert tcp $HOME_NET any -> [185.140.53.16] 6403 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201581; rev:1;) alert tcp $HOME_NET any -> [47.89.208.216] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201582; rev:1;) alert tcp $HOME_NET any -> [157.245.11.146] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201583; rev:1;) alert tcp $HOME_NET any -> [43.226.229.97] 8088 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201584; rev:1;) alert tcp $HOME_NET any -> [93.190.93.23] 8077 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201585; rev:1;) alert tcp $HOME_NET any -> [185.140.53.55] 4040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201586; rev:1;) alert tcp $HOME_NET any -> [149.56.234.156] 1485 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201587; rev:1;) alert tcp $HOME_NET any -> [84.16.248.160] 443 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201588; rev:1;) alert tcp $HOME_NET any -> [46.29.165.151] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201589; rev:1;) alert tcp $HOME_NET any -> [91.210.169.101] 6404 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201590; rev:1;) alert tcp $HOME_NET any -> [185.140.53.55] 5541 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201591; rev:1;) alert tcp $HOME_NET any -> [207.246.95.196] 443 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201592; rev:1;) alert tcp $HOME_NET any -> [51.89.201.48] 7866 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201593; rev:1;) alert tcp $HOME_NET any -> [185.140.53.53] 1050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201594; rev:1;) alert tcp $HOME_NET any -> [91.193.75.249] 4590 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201595; rev:1;) alert tcp $HOME_NET any -> [91.193.75.54] 3421 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201596; rev:1;) alert tcp $HOME_NET any -> [89.238.181.103] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201597; rev:1;) alert tcp $HOME_NET any -> [84.51.52.166] 82 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201598; rev:1;) alert tcp $HOME_NET any -> [45.95.168.130] 2001 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201599; rev:1;) alert tcp $HOME_NET any -> [8.209.77.210] 443 (msg:"SSLBL: Traffic to malicious host (likely DanaBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201600; rev:1;) alert tcp $HOME_NET any -> [103.147.185.179] 5891 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201601; rev:1;) alert tcp $HOME_NET any -> [103.114.105.3] 8780 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201602; rev:1;) alert tcp $HOME_NET any -> [188.130.138.125] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201603; rev:1;) alert tcp $HOME_NET any -> [103.133.107.247] 3310 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201604; rev:1;) alert tcp $HOME_NET any -> [103.141.137.242] 5454 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201605; rev:1;) alert tcp $HOME_NET any -> [161.117.227.195] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201606; rev:1;) alert tcp $HOME_NET any -> [45.129.2.240] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201607; rev:1;) alert tcp $HOME_NET any -> [109.248.11.25] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201608; rev:1;) alert tcp $HOME_NET any -> [103.147.185.179] 5890 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201609; rev:1;) alert tcp $HOME_NET any -> [103.99.1.76] 9087 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201610; rev:1;) alert tcp $HOME_NET any -> [103.125.190.243] 8965 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201611; rev:1;) alert tcp $HOME_NET any -> [119.28.159.130] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201612; rev:1;) alert tcp $HOME_NET any -> [45.125.239.120] 6204 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201613; rev:1;) alert tcp $HOME_NET any -> [45.140.168.169] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201614; rev:1;) alert tcp $HOME_NET any -> [88.119.175.105] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201615; rev:1;) alert tcp $HOME_NET any -> [178.124.140.144] 7866 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201616; rev:1;) alert tcp $HOME_NET any -> [216.38.2.208] 1050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201617; rev:1;) alert tcp $HOME_NET any -> [46.29.167.45] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201618; rev:1;) alert tcp $HOME_NET any -> [105.103.91.155] 5552 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201619; rev:1;) alert tcp $HOME_NET any -> [139.60.161.88] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201620; rev:1;) alert tcp $HOME_NET any -> [37.48.92.195] 6025 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201621; rev:1;) alert tcp $HOME_NET any -> [45.125.239.253] 6204 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201622; rev:1;) alert tcp $HOME_NET any -> [141.255.156.106] 6606 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201623; rev:1;) alert tcp $HOME_NET any -> [95.211.140.160] 8514 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201624; rev:1;) alert tcp $HOME_NET any -> [45.125.239.50] 10134 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201625; rev:1;) alert tcp $HOME_NET any -> [185.141.61.237] 1010 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201626; rev:1;) alert tcp $HOME_NET any -> [78.108.185.203] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201627; rev:1;) alert tcp $HOME_NET any -> [31.49.13.58] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201628; rev:1;) alert tcp $HOME_NET any -> [89.33.246.107] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201629; rev:1;) alert tcp $HOME_NET any -> [77.48.28.231] 2424 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201630; rev:1;) alert tcp $HOME_NET any -> [84.51.52.166] 2 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201631; rev:1;) alert tcp $HOME_NET any -> [84.51.52.166] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201632; rev:1;) alert tcp $HOME_NET any -> [176.32.35.108] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201633; rev:1;) alert tcp $HOME_NET any -> [45.147.229.106] 8720 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201634; rev:1;) alert tcp $HOME_NET any -> [91.218.65.24] 6178 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201635; rev:1;) alert tcp $HOME_NET any -> [91.218.65.24] 7777 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201636; rev:1;) alert tcp $HOME_NET any -> [84.51.52.166] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201637; rev:1;) alert tcp $HOME_NET any -> [69.133.56.83] 444 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201638; rev:1;) alert tcp $HOME_NET any -> [41.103.199.216] 1337 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201639; rev:1;) alert tcp $HOME_NET any -> [176.57.215.142] 443 (msg:"SSLBL: Traffic to malicious host (likely KPOTStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201640; rev:1;) alert tcp $HOME_NET any -> [184.164.139.226] 2020 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201641; rev:1;) alert tcp $HOME_NET any -> [5.188.9.76] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201642; rev:1;) alert tcp $HOME_NET any -> [51.75.154.242] 1515 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201643; rev:1;) alert tcp $HOME_NET any -> [185.101.93.249] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201644; rev:1;) alert tcp $HOME_NET any -> [37.228.132.241] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201645; rev:1;) alert tcp $HOME_NET any -> [195.69.187.142] 443 (msg:"SSLBL: Traffic to malicious host (likely FindPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201646; rev:1;) alert tcp $HOME_NET any -> [192.95.20.152] 443 (msg:"SSLBL: Traffic to malicious host (likely BlueBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201647; rev:1;) alert tcp $HOME_NET any -> [46.17.47.168] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201648; rev:1;) alert tcp $HOME_NET any -> [195.123.224.47] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201649; rev:1;) alert tcp $HOME_NET any -> [185.140.53.235] 3030 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201650; rev:1;) alert tcp $HOME_NET any -> [47.74.63.135] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201651; rev:1;) alert tcp $HOME_NET any -> [8.208.28.247] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201652; rev:1;) alert tcp $HOME_NET any -> [93.190.93.212] 8890 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201653; rev:1;) alert tcp $HOME_NET any -> [185.140.53.175] 20804 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201654; rev:1;) alert tcp $HOME_NET any -> [192.227.231.18] 1921 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201655; rev:1;) alert tcp $HOME_NET any -> [185.244.30.165] 3434 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201656; rev:1;) alert tcp $HOME_NET any -> [46.29.167.29] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201657; rev:1;) alert tcp $HOME_NET any -> [37.72.175.199] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201658; rev:1;) alert tcp $HOME_NET any -> [91.193.75.143] 2128 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201659; rev:1;) alert tcp $HOME_NET any -> [37.221.114.88] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201660; rev:1;) alert tcp $HOME_NET any -> [46.21.147.46] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201661; rev:1;) alert tcp $HOME_NET any -> [94.158.245.225] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201662; rev:1;) alert tcp $HOME_NET any -> [185.244.30.193] 6065 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201663; rev:1;) alert tcp $HOME_NET any -> [185.244.30.21] 3232 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201664; rev:1;) alert tcp $HOME_NET any -> [94.158.245.160] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201665; rev:1;) alert tcp $HOME_NET any -> [94.158.245.160] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201666; rev:1;) alert tcp $HOME_NET any -> [94.158.245.90] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201667; rev:1;) alert tcp $HOME_NET any -> [185.70.186.151] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201668; rev:1;) alert tcp $HOME_NET any -> [216.38.8.168] 3856 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201669; rev:1;) alert tcp $HOME_NET any -> [93.190.93.6] 5934 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201670; rev:1;) alert tcp $HOME_NET any -> [194.33.45.146] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201671; rev:1;) alert tcp $HOME_NET any -> [79.134.225.71] 3232 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201672; rev:1;) alert tcp $HOME_NET any -> [185.244.30.137] 3030 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201673; rev:1;) alert tcp $HOME_NET any -> [79.134.225.111] 20804 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201674; rev:1;) alert tcp $HOME_NET any -> [185.244.30.137] 9996 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201675; rev:1;) alert tcp $HOME_NET any -> [185.205.210.71] 2020 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201676; rev:1;) alert tcp $HOME_NET any -> [196.229.250.239] 3000 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201677; rev:1;) alert tcp $HOME_NET any -> [88.150.189.98] 1903 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201678; rev:1;) alert tcp $HOME_NET any -> [88.150.189.98] 9956 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201679; rev:1;) alert tcp $HOME_NET any -> [185.244.30.14] 1313 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201680; rev:1;) alert tcp $HOME_NET any -> [43.226.229.83] 8088 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201681; rev:1;) alert tcp $HOME_NET any -> [37.48.92.195] 4028 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201682; rev:1;) alert tcp $HOME_NET any -> [185.244.30.21] 2526 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201683; rev:1;) alert tcp $HOME_NET any -> [178.124.140.145] 1960 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201684; rev:1;) alert tcp $HOME_NET any -> [46.29.160.64] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201685; rev:1;) alert tcp $HOME_NET any -> [91.215.169.250] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201686; rev:1;) alert tcp $HOME_NET any -> [185.140.53.228] 20908 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201687; rev:1;) alert tcp $HOME_NET any -> [37.48.92.195] 2034 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201688; rev:1;) alert tcp $HOME_NET any -> [134.19.179.187] 32741 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201689; rev:1;) alert tcp $HOME_NET any -> [43.226.229.110] 8088 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201690; rev:1;) alert tcp $HOME_NET any -> [45.128.133.19] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201691; rev:1;) alert tcp $HOME_NET any -> [82.64.128.42] 5502 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201692; rev:1;) alert tcp $HOME_NET any -> [82.64.128.42] 5501 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201693; rev:1;) alert tcp $HOME_NET any -> [84.38.133.132] 3202 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201694; rev:1;) alert tcp $HOME_NET any -> [184.75.223.219] 32741 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201695; rev:1;) alert tcp $HOME_NET any -> [185.244.30.239] 2091 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201696; rev:1;) alert tcp $HOME_NET any -> [172.94.100.10] 8088 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201697; rev:1;) alert tcp $HOME_NET any -> [37.48.92.195] 2022 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201698; rev:1;) alert tcp $HOME_NET any -> [67.43.224.156] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201699; rev:1;) alert tcp $HOME_NET any -> [64.225.74.231] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201700; rev:1;) alert tcp $HOME_NET any -> [144.217.211.203] 1855 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201701; rev:1;) alert tcp $HOME_NET any -> [141.255.147.132] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201702; rev:1;) alert tcp $HOME_NET any -> [185.244.30.13] 7250 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201703; rev:1;) alert tcp $HOME_NET any -> [184.75.223.235] 3460 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201704; rev:1;) alert tcp $HOME_NET any -> [185.244.30.17] 1199 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201705; rev:1;) alert tcp $HOME_NET any -> [79.134.225.71] 5252 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201706; rev:1;) alert tcp $HOME_NET any -> [79.134.225.109] 4040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201707; rev:1;) alert tcp $HOME_NET any -> [69.65.7.136] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201708; rev:1;) alert tcp $HOME_NET any -> [79.134.225.101] 7872 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201709; rev:1;) alert tcp $HOME_NET any -> [79.134.225.10] 1199 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201710; rev:1;) alert tcp $HOME_NET any -> [79.134.225.99] 20901 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201711; rev:1;) alert tcp $HOME_NET any -> [198.46.141.251] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201712; rev:1;) alert tcp $HOME_NET any -> [128.199.57.93] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201713; rev:1;) alert tcp $HOME_NET any -> [193.37.213.157] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201714; rev:1;) alert tcp $HOME_NET any -> [47.252.2.199] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201715; rev:1;) alert tcp $HOME_NET any -> [168.235.111.253] 56453 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201716; rev:1;) alert tcp $HOME_NET any -> [185.136.163.128] 2020 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201717; rev:1;) alert tcp $HOME_NET any -> [60.51.99.42] 4424 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201718; rev:1;) alert tcp $HOME_NET any -> [212.114.52.84] 2803 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201719; rev:1;) alert tcp $HOME_NET any -> [185.140.53.60] 7071 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201720; rev:1;) alert tcp $HOME_NET any -> [185.243.242.116] 7766 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201721; rev:1;) alert tcp $HOME_NET any -> [111.90.142.123] 443 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201722; rev:1;) alert tcp $HOME_NET any -> [13.224.102.128] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201723; rev:1;) alert tcp $HOME_NET any -> [185.183.96.231] 443 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201724; rev:1;) alert tcp $HOME_NET any -> [176.31.88.148] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201725; rev:1;) alert tcp $HOME_NET any -> [185.205.209.223] 1020 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201726; rev:1;) alert tcp $HOME_NET any -> [95.213.195.71] 1788 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201727; rev:1;) alert tcp $HOME_NET any -> [79.134.225.29] 2128 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201728; rev:1;) alert tcp $HOME_NET any -> [79.134.225.5] 1369 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201729; rev:1;) alert tcp $HOME_NET any -> [37.72.175.233] 8080 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201730; rev:1;) alert tcp $HOME_NET any -> [185.203.236.236] 6874 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201731; rev:1;) alert tcp $HOME_NET any -> [142.44.253.233] 5050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201732; rev:1;) alert tcp $HOME_NET any -> [45.74.53.124] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201733; rev:1;) alert tcp $HOME_NET any -> [123.240.25.197] 1604 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201734; rev:1;) alert tcp $HOME_NET any -> [185.86.4.70] 4785 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201735; rev:1;) alert tcp $HOME_NET any -> [142.147.97.150] 6084 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201736; rev:1;) alert tcp $HOME_NET any -> [195.123.246.241] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201737; rev:1;) alert tcp $HOME_NET any -> [185.159.82.101] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201738; rev:1;) alert tcp $HOME_NET any -> [45.89.230.124] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201739; rev:1;) alert tcp $HOME_NET any -> [47.241.27.57] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201740; rev:1;) alert tcp $HOME_NET any -> [79.134.225.71] 2121 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201741; rev:1;) alert tcp $HOME_NET any -> [79.134.225.71] 2121 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201742; rev:1;) alert tcp $HOME_NET any -> [185.203.236.237] 6683 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201743; rev:1;) alert tcp $HOME_NET any -> [35.192.205.70] 6969 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201744; rev:1;) alert tcp $HOME_NET any -> [185.244.30.147] 4789 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201745; rev:1;) alert tcp $HOME_NET any -> [185.140.53.154] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201746; rev:1;) alert tcp $HOME_NET any -> [79.134.225.99] 20908 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201747; rev:1;) alert tcp $HOME_NET any -> [192.3.2.150] 5050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201748; rev:1;) alert tcp $HOME_NET any -> [79.134.225.97] 2016 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201749; rev:1;) alert tcp $HOME_NET any -> [185.244.30.154] 7201 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201750; rev:1;) alert tcp $HOME_NET any -> [46.183.223.29] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201751; rev:1;) alert tcp $HOME_NET any -> [118.100.66.100] 4424 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201752; rev:1;) alert tcp $HOME_NET any -> [95.213.195.71] 17171 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201753; rev:1;) alert tcp $HOME_NET any -> [79.186.190.12] 1080 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201754; rev:1;) alert tcp $HOME_NET any -> [185.98.87.192] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201755; rev:1;) alert tcp $HOME_NET any -> [212.162.150.118] 6874 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201756; rev:1;) alert tcp $HOME_NET any -> [46.17.47.64] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201757; rev:1;) alert tcp $HOME_NET any -> [45.147.200.7] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201758; rev:1;) alert tcp $HOME_NET any -> [46.21.144.10] 8080 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201759; rev:1;) alert tcp $HOME_NET any -> [193.37.213.56] 2040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201760; rev:1;) alert tcp $HOME_NET any -> [195.123.246.12] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201761; rev:1;) alert tcp $HOME_NET any -> [167.99.11.50] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201762; rev:1;) alert tcp $HOME_NET any -> [23.95.94.154] 5050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201763; rev:1;) alert tcp $HOME_NET any -> [91.189.180.195] 7618 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201764; rev:1;) alert tcp $HOME_NET any -> [193.37.213.56] 2030 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201765; rev:1;) alert tcp $HOME_NET any -> [37.120.140.165] 1030 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201766; rev:1;) alert tcp $HOME_NET any -> [185.154.21.193] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201767; rev:1;) alert tcp $HOME_NET any -> [45.66.250.112] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201768; rev:1;) alert tcp $HOME_NET any -> [82.118.22.9] 8085 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201769; rev:1;) alert tcp $HOME_NET any -> [210.183.117.215] 6124 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201770; rev:1;) alert tcp $HOME_NET any -> [193.32.188.136] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201771; rev:1;) alert tcp $HOME_NET any -> [193.37.213.42] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201772; rev:1;) alert tcp $HOME_NET any -> [62.108.37.42] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201773; rev:1;) alert tcp $HOME_NET any -> [175.141.217.222] 4424 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201774; rev:1;) alert tcp $HOME_NET any -> [45.140.169.211] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201775; rev:1;) alert tcp $HOME_NET any -> [47.245.30.255] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201776; rev:1;) alert tcp $HOME_NET any -> [149.167.94.36] 10196 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201777; rev:1;) alert tcp $HOME_NET any -> [23.81.246.113] 6059 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201778; rev:1;) alert tcp $HOME_NET any -> [139.99.122.112] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201779; rev:1;) alert tcp $HOME_NET any -> [190.97.162.37] 443 (msg:"SSLBL: Traffic to malicious host (likely PredatorStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201780; rev:1;) alert tcp $HOME_NET any -> [204.152.201.172] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201781; rev:1;) alert tcp $HOME_NET any -> [79.134.225.10] 6050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201782; rev:1;) alert tcp $HOME_NET any -> [94.158.245.193] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201783; rev:1;) alert tcp $HOME_NET any -> [94.158.245.180] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201784; rev:1;) alert tcp $HOME_NET any -> [185.225.17.227] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201785; rev:1;) alert tcp $HOME_NET any -> [93.190.93.25] 5050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201786; rev:1;) alert tcp $HOME_NET any -> [167.86.106.40] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201787; rev:1;) alert tcp $HOME_NET any -> [217.29.57.164] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201788; rev:1;) alert tcp $HOME_NET any -> [93.190.93.108] 5858 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201789; rev:1;) alert tcp $HOME_NET any -> [92.38.184.121] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201790; rev:1;) alert tcp $HOME_NET any -> [41.46.250.43] 8080 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201791; rev:1;) alert tcp $HOME_NET any -> [82.192.82.102] 5147 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201792; rev:1;) alert tcp $HOME_NET any -> [167.172.164.197] 8443 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201793; rev:1;) alert tcp $HOME_NET any -> [91.215.169.52] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201794; rev:1;) alert tcp $HOME_NET any -> [43.226.229.82] 5288 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201795; rev:1;) alert tcp $HOME_NET any -> [104.129.27.166] 5210 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201796; rev:1;) alert tcp $HOME_NET any -> [144.168.239.42] 5050 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201797; rev:1;) alert tcp $HOME_NET any -> [64.225.20.238] 2030 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201798; rev:1;) alert tcp $HOME_NET any -> [82.64.128.42] 6613 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201799; rev:1;) alert tcp $HOME_NET any -> [13.225.78.77] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201800; rev:1;) alert tcp $HOME_NET any -> [51.83.200.181] 1337 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201801; rev:1;) alert tcp $HOME_NET any -> [111.90.156.119] 443 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201802; rev:1;) alert tcp $HOME_NET any -> [217.146.88.175] 4040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201803; rev:1;) alert tcp $HOME_NET any -> [185.176.222.44] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201804; rev:1;) alert tcp $HOME_NET any -> [192.119.71.129] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201805; rev:1;) alert tcp $HOME_NET any -> [151.248.126.195] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201806; rev:1;) alert tcp $HOME_NET any -> [185.10.68.16] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201807; rev:1;) alert tcp $HOME_NET any -> [176.107.160.128] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201808; rev:1;) alert tcp $HOME_NET any -> [181.141.0.182] 1898 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201809; rev:1;) alert tcp $HOME_NET any -> [185.244.30.74] 6970 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201810; rev:1;) alert tcp $HOME_NET any -> [185.209.20.124] 1443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201811; rev:1;) alert tcp $HOME_NET any -> [115.134.230.49] 4424 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201812; rev:1;) alert tcp $HOME_NET any -> [95.211.140.172] 6687 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201813; rev:1;) alert tcp $HOME_NET any -> [108.62.141.34] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201814; rev:1;) alert tcp $HOME_NET any -> [82.64.128.42] 6617 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201815; rev:1;) alert tcp $HOME_NET any -> [185.158.154.218] 443 (msg:"SSLBL: Traffic to malicious host (likely FindPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201816; rev:1;) alert tcp $HOME_NET any -> [85.143.222.85] 443 (msg:"SSLBL: Traffic to malicious host (likely FindPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201817; rev:1;) alert tcp $HOME_NET any -> [47.244.208.18] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201818; rev:1;) alert tcp $HOME_NET any -> [91.215.169.244] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201819; rev:1;) alert tcp $HOME_NET any -> [91.215.169.244] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201820; rev:1;) alert tcp $HOME_NET any -> [176.107.160.70] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201821; rev:1;) alert tcp $HOME_NET any -> [176.107.160.70] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201822; rev:1;) alert tcp $HOME_NET any -> [178.124.140.143] 5888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201823; rev:1;) alert tcp $HOME_NET any -> [47.252.11.17] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201824; rev:1;) alert tcp $HOME_NET any -> [148.72.172.101] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201825; rev:1;) alert tcp $HOME_NET any -> [176.107.160.11] 443 (msg:"SSLBL: Traffic to malicious host (likely PredatorStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201826; rev:1;) alert tcp $HOME_NET any -> [190.211.254.23] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201827; rev:1;) alert tcp $HOME_NET any -> [193.164.150.97] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201828; rev:1;) alert tcp $HOME_NET any -> [111.90.156.123] 443 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201829; rev:1;) alert tcp $HOME_NET any -> [46.17.44.169] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201830; rev:1;) alert tcp $HOME_NET any -> [195.123.222.144] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201831; rev:1;) alert tcp $HOME_NET any -> [193.233.149.7] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201832; rev:1;) alert tcp $HOME_NET any -> [193.233.149.7] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201833; rev:1;) alert tcp $HOME_NET any -> [188.127.230.203] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201834; rev:1;) alert tcp $HOME_NET any -> [49.51.136.157] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201835; rev:1;) alert tcp $HOME_NET any -> [46.166.173.155] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201836; rev:1;) alert tcp $HOME_NET any -> [5.63.154.250] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201837; rev:1;) alert tcp $HOME_NET any -> [95.217.17.191] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201838; rev:1;) alert tcp $HOME_NET any -> [209.127.19.34] 443 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201839; rev:1;) alert tcp $HOME_NET any -> [134.0.118.45] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201840; rev:1;) alert tcp $HOME_NET any -> [216.170.126.139] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201841; rev:1;) alert tcp $HOME_NET any -> [45.139.186.90] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201842; rev:1;) alert tcp $HOME_NET any -> [45.143.138.19] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201843; rev:1;) alert tcp $HOME_NET any -> [144.202.5.143] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201844; rev:1;) alert tcp $HOME_NET any -> [179.155.124.71] 15000 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201845; rev:1;) alert tcp $HOME_NET any -> [62.108.37.11] 5252 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201846; rev:1;) alert tcp $HOME_NET any -> [192.3.2.152] 5050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201847; rev:1;) alert tcp $HOME_NET any -> [216.218.185.162] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201848; rev:1;) alert tcp $HOME_NET any -> [45.128.184.104] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201849; rev:1;) alert tcp $HOME_NET any -> [80.85.158.73] 7768 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201850; rev:1;) alert tcp $HOME_NET any -> [185.205.209.194] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201851; rev:1;) alert tcp $HOME_NET any -> [185.163.47.156] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201852; rev:1;) alert tcp $HOME_NET any -> [49.51.154.98] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201853; rev:1;) alert tcp $HOME_NET any -> [46.29.164.152] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201854; rev:1;) alert tcp $HOME_NET any -> [194.127.179.82] 7575 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201855; rev:1;) alert tcp $HOME_NET any -> [79.174.13.19] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201856; rev:1;) alert tcp $HOME_NET any -> [109.248.222.22] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201857; rev:1;) alert tcp $HOME_NET any -> [45.143.138.27] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201858; rev:1;) alert tcp $HOME_NET any -> [45.143.138.27] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201859; rev:1;) alert tcp $HOME_NET any -> [37.252.1.57] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201860; rev:1;) alert tcp $HOME_NET any -> [188.120.241.68] 443 (msg:"SSLBL: Traffic to malicious host (likely PredatorStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201861; rev:1;) alert tcp $HOME_NET any -> [188.127.227.76] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201862; rev:1;) alert tcp $HOME_NET any -> [95.169.181.90] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201863; rev:1;) alert tcp $HOME_NET any -> [194.58.98.72] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201864; rev:1;) alert tcp $HOME_NET any -> [45.129.2.228] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201865; rev:1;) alert tcp $HOME_NET any -> [176.103.62.240] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201866; rev:1;) alert tcp $HOME_NET any -> [37.48.83.137] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201867; rev:1;) alert tcp $HOME_NET any -> [141.255.154.30] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201868; rev:1;) alert tcp $HOME_NET any -> [45.72.3.132] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201869; rev:1;) alert tcp $HOME_NET any -> [194.67.105.88] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201870; rev:1;) alert tcp $HOME_NET any -> [198.54.125.162] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201871; rev:1;) alert tcp $HOME_NET any -> [108.174.198.213] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201872; rev:1;) alert tcp $HOME_NET any -> [185.189.68.74] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201873; rev:1;) alert tcp $HOME_NET any -> [95.217.99.22] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201874; rev:1;) alert tcp $HOME_NET any -> [95.211.170.231] 1991 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201875; rev:1;) alert tcp $HOME_NET any -> [185.48.56.111] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201876; rev:1;) alert tcp $HOME_NET any -> [69.30.240.82] 4358 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201877; rev:1;) alert tcp $HOME_NET any -> [103.133.109.147] 4434 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201878; rev:1;) alert tcp $HOME_NET any -> [195.19.192.46] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201879; rev:1;) alert tcp $HOME_NET any -> [45.86.182.200] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201880; rev:1;) alert tcp $HOME_NET any -> [45.137.22.45] 50572 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201881; rev:1;) alert tcp $HOME_NET any -> [45.80.69.34] 443 (msg:"SSLBL: Traffic to malicious host (likely CobInt C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201882; rev:1;) alert tcp $HOME_NET any -> [174.127.99.243] 5888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201883; rev:1;) alert tcp $HOME_NET any -> [185.202.174.36] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201884; rev:1;) alert tcp $HOME_NET any -> [188.225.38.98] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201885; rev:1;) alert tcp $HOME_NET any -> [62.76.179.117] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201886; rev:1;) alert tcp $HOME_NET any -> [188.225.26.26] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201887; rev:1;) alert tcp $HOME_NET any -> [45.140.168.244] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201888; rev:1;) alert tcp $HOME_NET any -> [46.17.45.99] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201889; rev:1;) alert tcp $HOME_NET any -> [185.140.53.217] 5541 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201890; rev:1;) alert tcp $HOME_NET any -> [176.53.163.150] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201891; rev:1;) alert tcp $HOME_NET any -> [172.247.227.11] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201892; rev:1;) alert tcp $HOME_NET any -> [31.192.109.47] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201893; rev:1;) alert tcp $HOME_NET any -> [185.244.30.244] 2211 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201894; rev:1;) alert tcp $HOME_NET any -> [104.27.181.27] 443 (msg:"SSLBL: Traffic to malicious host (likely PredatorStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201895; rev:1;) alert tcp $HOME_NET any -> [79.134.225.82] 1112 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201896; rev:1;) alert tcp $HOME_NET any -> [185.140.53.217] 2002 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201897; rev:1;) alert tcp $HOME_NET any -> [37.48.92.195] 1786 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201898; rev:1;) alert tcp $HOME_NET any -> [45.143.138.20] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201899; rev:1;) alert tcp $HOME_NET any -> [37.48.94.115] 1989 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201900; rev:1;) alert tcp $HOME_NET any -> [193.233.78.25] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201901; rev:1;) alert tcp $HOME_NET any -> [62.109.5.243] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201902; rev:1;) alert tcp $HOME_NET any -> [83.166.250.53] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201903; rev:1;) alert tcp $HOME_NET any -> [185.231.245.119] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201904; rev:1;) alert tcp $HOME_NET any -> [185.180.196.30] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201905; rev:1;) alert tcp $HOME_NET any -> [45.128.187.239] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201906; rev:1;) alert tcp $HOME_NET any -> [45.143.138.66] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201907; rev:1;) alert tcp $HOME_NET any -> [46.8.208.36] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201908; rev:1;) alert tcp $HOME_NET any -> [185.144.30.54] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201909; rev:1;) alert tcp $HOME_NET any -> [134.0.116.116] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201910; rev:1;) alert tcp $HOME_NET any -> [37.46.130.73] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201911; rev:1;) alert tcp $HOME_NET any -> [74.36.14.147] 54984 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201912; rev:1;) alert tcp $HOME_NET any -> [185.65.202.7] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201913; rev:1;) alert tcp $HOME_NET any -> [195.69.187.118] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201914; rev:1;) alert tcp $HOME_NET any -> [45.67.229.220] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201915; rev:1;) alert tcp $HOME_NET any -> [94.103.82.31] 443 (msg:"SSLBL: Traffic to malicious host (likely CobInt C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201916; rev:1;) alert tcp $HOME_NET any -> [91.121.235.6] 1515 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201917; rev:1;) alert tcp $HOME_NET any -> [194.5.97.59] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201918; rev:1;) alert tcp $HOME_NET any -> [185.140.53.6] 1819 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201919; rev:1;) alert tcp $HOME_NET any -> [45.143.138.69] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201920; rev:1;) alert tcp $HOME_NET any -> [83.166.245.47] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201921; rev:1;) alert tcp $HOME_NET any -> [91.214.119.30] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201922; rev:1;) alert tcp $HOME_NET any -> [79.134.225.12] 6036 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201923; rev:1;) alert tcp $HOME_NET any -> [176.32.32.62] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201924; rev:1;) alert tcp $HOME_NET any -> [185.117.155.48] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201925; rev:1;) alert tcp $HOME_NET any -> [176.32.33.203] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201926; rev:1;) alert tcp $HOME_NET any -> [46.29.163.145] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201927; rev:1;) alert tcp $HOME_NET any -> [185.244.30.222] 5200 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201928; rev:1;) alert tcp $HOME_NET any -> [194.61.1.178] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201929; rev:1;) alert tcp $HOME_NET any -> [46.29.161.246] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201930; rev:1;) alert tcp $HOME_NET any -> [95.217.19.128] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201931; rev:1;) alert tcp $HOME_NET any -> [149.154.159.226] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201932; rev:1;) alert tcp $HOME_NET any -> [46.29.161.3] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201933; rev:1;) alert tcp $HOME_NET any -> [185.61.154.7] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201934; rev:1;) alert tcp $HOME_NET any -> [79.134.225.47] 6234 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201935; rev:1;) alert tcp $HOME_NET any -> [83.166.242.144] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201936; rev:1;) alert tcp $HOME_NET any -> [91.224.22.60] 443 (msg:"SSLBL: Traffic to malicious host (likely FindPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201937; rev:1;) alert tcp $HOME_NET any -> [141.105.64.132] 1606 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201938; rev:1;) alert tcp $HOME_NET any -> [54.255.139.136] 80 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201939; rev:1;) alert tcp $HOME_NET any -> [84.54.187.24] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201940; rev:1;) alert tcp $HOME_NET any -> [89.35.29.52] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201941; rev:1;) alert tcp $HOME_NET any -> [119.31.127.51] 4444 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201942; rev:1;) alert tcp $HOME_NET any -> [79.134.225.114] 5040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201943; rev:1;) alert tcp $HOME_NET any -> [54.191.72.237] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201944; rev:1;) alert tcp $HOME_NET any -> [193.109.69.17] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201945; rev:1;) alert tcp $HOME_NET any -> [45.89.230.51] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201946; rev:1;) alert tcp $HOME_NET any -> [77.222.63.110] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201947; rev:1;) alert tcp $HOME_NET any -> [173.212.248.28] 8443 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201948; rev:1;) alert tcp $HOME_NET any -> [216.38.2.206] 5252 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201949; rev:1;) alert tcp $HOME_NET any -> [185.165.153.60] 4242 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201950; rev:1;) alert tcp $HOME_NET any -> [185.165.153.27] 44985 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201951; rev:1;) alert tcp $HOME_NET any -> [77.220.205.126] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201952; rev:1;) alert tcp $HOME_NET any -> [45.139.236.3] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201953; rev:1;) alert tcp $HOME_NET any -> [13.69.254.90] 77 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201954; rev:1;) alert tcp $HOME_NET any -> [185.147.15.21] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201955; rev:1;) alert tcp $HOME_NET any -> [185.130.104.152] 443 (msg:"SSLBL: Traffic to malicious host (likely Ostap C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201956; rev:1;) alert tcp $HOME_NET any -> [198.50.217.185] 1988 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201957; rev:1;) alert tcp $HOME_NET any -> [45.67.231.175] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201958; rev:1;) alert tcp $HOME_NET any -> [79.134.225.92] 4040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201959; rev:1;) alert tcp $HOME_NET any -> [173.249.23.208] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201960; rev:1;) alert tcp $HOME_NET any -> [185.174.172.99] 443 (msg:"SSLBL: Traffic to malicious host (likely FindPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201961; rev:1;) alert tcp $HOME_NET any -> [81.25.71.88] 443 (msg:"SSLBL: Traffic to malicious host (likely FindPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201962; rev:1;) alert tcp $HOME_NET any -> [185.140.53.135] 7654 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201963; rev:1;) alert tcp $HOME_NET any -> [176.227.191.12] 25530 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201964; rev:1;) alert tcp $HOME_NET any -> [2.91.161.144] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201965; rev:1;) alert tcp $HOME_NET any -> [5.61.40.237] 443 (msg:"SSLBL: Traffic to malicious host (likely Ostap C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201966; rev:1;) alert tcp $HOME_NET any -> [185.118.165.109] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201967; rev:1;) alert tcp $HOME_NET any -> [79.134.225.76] 5252 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201968; rev:1;) alert tcp $HOME_NET any -> [176.32.32.15] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201969; rev:1;) alert tcp $HOME_NET any -> [45.144.3.145] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201970; rev:1;) alert tcp $HOME_NET any -> [79.134.225.79] 204 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201971; rev:1;) alert tcp $HOME_NET any -> [51.77.225.5] 7575 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201972; rev:1;) alert tcp $HOME_NET any -> [85.217.171.222] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201973; rev:1;) alert tcp $HOME_NET any -> [37.252.10.127] 443 (msg:"SSLBL: Traffic to malicious host (likely Ostap C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201974; rev:1;) alert tcp $HOME_NET any -> [185.130.104.240] 443 (msg:"SSLBL: Traffic to malicious host (likely Ostap C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201975; rev:1;) alert tcp $HOME_NET any -> [46.29.164.66] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201976; rev:1;) alert tcp $HOME_NET any -> [95.110.224.103] 5147 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201977; rev:1;) alert tcp $HOME_NET any -> [83.220.175.116] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201978; rev:1;) alert tcp $HOME_NET any -> [91.218.65.24] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201979; rev:1;) alert tcp $HOME_NET any -> [190.1.237.120] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201980; rev:1;) alert tcp $HOME_NET any -> [185.113.141.120] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201981; rev:1;) alert tcp $HOME_NET any -> [195.228.41.2] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201982; rev:1;) alert tcp $HOME_NET any -> [37.75.61.8] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201983; rev:1;) alert tcp $HOME_NET any -> [94.103.82.67] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201984; rev:1;) alert tcp $HOME_NET any -> [185.140.53.78] 4811 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201985; rev:1;) alert tcp $HOME_NET any -> [51.83.18.78] 4358 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201986; rev:1;) alert tcp $HOME_NET any -> [93.189.149.187] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201987; rev:1;) alert tcp $HOME_NET any -> [185.165.153.199] 5954 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201988; rev:1;) alert tcp $HOME_NET any -> [185.140.53.90] 8585 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201989; rev:1;) alert tcp $HOME_NET any -> [185.165.153.175] 1994 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201990; rev:1;) alert tcp $HOME_NET any -> [213.208.152.216] 5954 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201991; rev:1;) alert tcp $HOME_NET any -> [45.144.2.210] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201992; rev:1;) alert tcp $HOME_NET any -> [193.29.15.147] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201993; rev:1;) alert tcp $HOME_NET any -> [185.157.245.59] 4430 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201994; rev:1;) alert tcp $HOME_NET any -> [185.165.153.75] 8585 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201995; rev:1;) alert tcp $HOME_NET any -> [138.201.6.195] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201996; rev:1;) alert tcp $HOME_NET any -> [5.188.108.58] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201997; rev:1;) alert tcp $HOME_NET any -> [194.67.86.241] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201998; rev:1;) alert tcp $HOME_NET any -> [85.143.219.95] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201999; rev:1;) alert tcp $HOME_NET any -> [47.111.114.5] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202000; rev:1;) alert tcp $HOME_NET any -> [194.58.123.243] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202001; rev:1;) alert tcp $HOME_NET any -> [91.77.167.80] 18000 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202002; rev:1;) alert tcp $HOME_NET any -> [45.128.186.79] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202003; rev:1;) alert tcp $HOME_NET any -> [79.134.225.71] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202004; rev:1;) alert tcp $HOME_NET any -> [79.134.225.71] 8808 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202005; rev:1;) alert tcp $HOME_NET any -> [91.230.60.107] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202006; rev:1;) alert tcp $HOME_NET any -> [185.253.219.43] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202007; rev:1;) alert tcp $HOME_NET any -> [51.77.225.5] 1960 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202008; rev:1;) alert tcp $HOME_NET any -> [84.38.129.162] 5555 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202009; rev:1;) alert tcp $HOME_NET any -> [188.72.115.200] 24007 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202010; rev:1;) alert tcp $HOME_NET any -> [185.118.66.254] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202011; rev:1;) alert tcp $HOME_NET any -> [90.96.187.205] 4430 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202012; rev:1;) alert tcp $HOME_NET any -> [195.133.146.24] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202013; rev:1;) alert tcp $HOME_NET any -> [185.165.153.150] 4922 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202014; rev:1;) alert tcp $HOME_NET any -> [45.144.2.212] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202015; rev:1;) alert tcp $HOME_NET any -> [95.213.139.105] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202016; rev:1;) alert tcp $HOME_NET any -> [178.124.140.136] 1819 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202017; rev:1;) alert tcp $HOME_NET any -> [185.140.53.193] 83 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202018; rev:1;) alert tcp $HOME_NET any -> [185.140.53.222] 79 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202019; rev:1;) alert tcp $HOME_NET any -> [95.213.195.71] 3999 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202020; rev:1;) alert tcp $HOME_NET any -> [45.147.200.57] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202021; rev:1;) alert tcp $HOME_NET any -> [45.142.214.21] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202022; rev:1;) alert tcp $HOME_NET any -> [185.156.177.132] 443 (msg:"SSLBL: Traffic to malicious host (likely TinyNuke C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202023; rev:1;) alert tcp $HOME_NET any -> [79.134.225.123] 3930 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202024; rev:1;) alert tcp $HOME_NET any -> [46.148.26.62] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202025; rev:1;) alert tcp $HOME_NET any -> [185.165.153.27] 32765 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202026; rev:1;) alert tcp $HOME_NET any -> [185.163.45.199] 3999 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202027; rev:1;) alert tcp $HOME_NET any -> [194.165.3.1] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202028; rev:1;) alert tcp $HOME_NET any -> [217.182.188.118] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202029; rev:1;) alert tcp $HOME_NET any -> [212.7.208.72] 5567 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202030; rev:1;) alert tcp $HOME_NET any -> [91.193.75.151] 2019 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202031; rev:1;) alert tcp $HOME_NET any -> [185.81.157.122] 5050 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202032; rev:1;) alert tcp $HOME_NET any -> [103.125.191.106] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202033; rev:1;) alert tcp $HOME_NET any -> [176.10.124.134] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202034; rev:1;) alert tcp $HOME_NET any -> [199.19.224.31] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202035; rev:1;) alert tcp $HOME_NET any -> [91.214.71.123] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202036; rev:1;) alert tcp $HOME_NET any -> [185.165.153.28] 20131 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202037; rev:1;) alert tcp $HOME_NET any -> [185.130.104.187] 443 (msg:"SSLBL: Traffic to malicious host (likely Ostap C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202038; rev:1;) alert tcp $HOME_NET any -> [79.134.225.104] 7562 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202039; rev:1;) alert tcp $HOME_NET any -> [185.165.153.150] 4145 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202040; rev:1;) alert tcp $HOME_NET any -> [81.25.71.28] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202041; rev:1;) alert tcp $HOME_NET any -> [210.123.126.60] 1002 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202042; rev:1;) alert tcp $HOME_NET any -> [79.134.225.118] 6778 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202043; rev:1;) alert tcp $HOME_NET any -> [185.159.82.18] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202044; rev:1;) alert tcp $HOME_NET any -> [195.69.187.132] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202045; rev:1;) alert tcp $HOME_NET any -> [79.134.225.119] 2256 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202046; rev:1;) alert tcp $HOME_NET any -> [79.134.225.104] 4430 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202047; rev:1;) alert tcp $HOME_NET any -> [79.134.225.86] 1818 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202048; rev:1;) alert tcp $HOME_NET any -> [79.134.225.83] 7272 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202049; rev:1;) alert tcp $HOME_NET any -> [83.166.246.250] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202050; rev:1;) alert tcp $HOME_NET any -> [45.129.2.78] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202051; rev:1;) alert tcp $HOME_NET any -> [193.56.28.57] 1944 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202052; rev:1;) alert tcp $HOME_NET any -> [45.140.169.100] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202053; rev:1;) alert tcp $HOME_NET any -> [46.17.47.148] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202054; rev:1;) alert tcp $HOME_NET any -> [77.222.55.71] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202055; rev:1;) alert tcp $HOME_NET any -> [185.222.202.74] 5760 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202056; rev:1;) alert tcp $HOME_NET any -> [194.5.98.211] 4145 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202057; rev:1;) alert tcp $HOME_NET any -> [185.163.47.199] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202058; rev:1;) alert tcp $HOME_NET any -> [78.31.63.30] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202059; rev:1;) alert tcp $HOME_NET any -> [79.134.225.95] 43 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202060; rev:1;) alert tcp $HOME_NET any -> [79.134.225.99] 4379 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202061; rev:1;) alert tcp $HOME_NET any -> [194.67.194.182] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202062; rev:1;) alert tcp $HOME_NET any -> [5.101.88.49] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202063; rev:1;) alert tcp $HOME_NET any -> [79.134.225.107] 4145 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202064; rev:1;) alert tcp $HOME_NET any -> [46.29.167.31] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202065; rev:1;) alert tcp $HOME_NET any -> [194.5.98.103] 8881 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202066; rev:1;) alert tcp $HOME_NET any -> [79.134.225.121] 7442 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202067; rev:1;) alert tcp $HOME_NET any -> [185.203.118.111] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202068; rev:1;) alert tcp $HOME_NET any -> [91.92.128.232] 1040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202069; rev:1;) alert tcp $HOME_NET any -> [185.177.59.229] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202070; rev:1;) alert tcp $HOME_NET any -> [93.170.76.85] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202071; rev:1;) alert tcp $HOME_NET any -> [45.140.168.68] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202072; rev:1;) alert tcp $HOME_NET any -> [185.36.81.60] 1474 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202073; rev:1;) alert tcp $HOME_NET any -> [185.227.82.51] 4070 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202074; rev:1;) alert tcp $HOME_NET any -> [185.163.45.111] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202075; rev:1;) alert tcp $HOME_NET any -> [185.163.47.214] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202076; rev:1;) alert tcp $HOME_NET any -> [185.225.17.254] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202077; rev:1;) alert tcp $HOME_NET any -> [82.146.39.206] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware.Nemty C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202078; rev:1;) alert tcp $HOME_NET any -> [178.63.132.28] 1634 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202079; rev:1;) alert tcp $HOME_NET any -> [194.5.98.151] 1994 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202080; rev:1;) alert tcp $HOME_NET any -> [89.223.100.18] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202081; rev:1;) alert tcp $HOME_NET any -> [185.193.141.251] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202082; rev:1;) alert tcp $HOME_NET any -> [92.53.71.99] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202083; rev:1;) alert tcp $HOME_NET any -> [46.21.253.86] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202084; rev:1;) alert tcp $HOME_NET any -> [85.143.218.8] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202085; rev:1;) alert tcp $HOME_NET any -> [85.217.171.167] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202086; rev:1;) alert tcp $HOME_NET any -> [2.57.89.47] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202087; rev:1;) alert tcp $HOME_NET any -> [46.249.62.203] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202088; rev:1;) alert tcp $HOME_NET any -> [45.132.19.146] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware.Nemty C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202089; rev:1;) alert tcp $HOME_NET any -> [151.80.241.113] 1717 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202090; rev:1;) alert tcp $HOME_NET any -> [79.134.225.95] 6460 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202091; rev:1;) alert tcp $HOME_NET any -> [193.0.61.106] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202092; rev:1;) alert tcp $HOME_NET any -> [185.253.218.26] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202093; rev:1;) alert tcp $HOME_NET any -> [192.99.211.205] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202094; rev:1;) alert tcp $HOME_NET any -> [172.94.88.81] 1780 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202095; rev:1;) alert tcp $HOME_NET any -> [94.103.94.180] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202096; rev:1;) alert tcp $HOME_NET any -> [195.19.192.51] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202097; rev:1;) alert tcp $HOME_NET any -> [91.203.5.180] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202098; rev:1;) alert tcp $HOME_NET any -> [79.134.225.11] 4782 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202099; rev:1;) alert tcp $HOME_NET any -> [185.105.236.161] 3939 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202100; rev:1;) alert tcp $HOME_NET any -> [66.154.97.151] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202101; rev:1;) alert tcp $HOME_NET any -> [154.83.15.174] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202102; rev:1;) alert tcp $HOME_NET any -> [104.248.149.132] 4789 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202103; rev:1;) alert tcp $HOME_NET any -> [173.212.204.171] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202104; rev:1;) alert tcp $HOME_NET any -> [194.5.98.46] 32765 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202105; rev:1;) alert tcp $HOME_NET any -> [84.38.129.30] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202106; rev:1;) alert tcp $HOME_NET any -> [89.249.65.168] 2025 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202107; rev:1;) alert tcp $HOME_NET any -> [85.217.171.52] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202108; rev:1;) alert tcp $HOME_NET any -> [31.41.44.65] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202109; rev:1;) alert tcp $HOME_NET any -> [37.48.92.195] 1218 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202110; rev:1;) alert tcp $HOME_NET any -> [185.36.81.51] 6008 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202111; rev:1;) alert tcp $HOME_NET any -> [89.249.65.210] 4050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202112; rev:1;) alert tcp $HOME_NET any -> [79.134.225.81] 2077 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202113; rev:1;) alert tcp $HOME_NET any -> [51.83.78.85] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202114; rev:1;) alert tcp $HOME_NET any -> [81.16.141.25] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202115; rev:1;) alert tcp $HOME_NET any -> [185.163.45.35] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202116; rev:1;) alert tcp $HOME_NET any -> [188.127.230.158] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202117; rev:1;) alert tcp $HOME_NET any -> [194.67.91.222] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202118; rev:1;) alert tcp $HOME_NET any -> [194.67.91.222] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202119; rev:1;) alert tcp $HOME_NET any -> [45.141.102.241] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202120; rev:1;) alert tcp $HOME_NET any -> [185.193.141.252] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202121; rev:1;) alert tcp $HOME_NET any -> [157.245.132.240] 8888 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202122; rev:1;) alert tcp $HOME_NET any -> [190.1.245.79] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202123; rev:1;) alert tcp $HOME_NET any -> [45.67.57.184] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202124; rev:1;) alert tcp $HOME_NET any -> [93.170.76.64] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202125; rev:1;) alert tcp $HOME_NET any -> [103.125.191.152] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202126; rev:1;) alert tcp $HOME_NET any -> [79.134.225.114] 5060 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202127; rev:1;) alert tcp $HOME_NET any -> [51.75.128.158] 60 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202128; rev:1;) alert tcp $HOME_NET any -> [79.134.225.70] 2323 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202129; rev:1;) alert tcp $HOME_NET any -> [194.87.103.158] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202130; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 31447 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202131; rev:1;) alert tcp $HOME_NET any -> [79.134.225.96] 5665 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202132; rev:1;) alert tcp $HOME_NET any -> [185.22.154.110] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202133; rev:1;) alert tcp $HOME_NET any -> [185.165.153.116] 7219 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202134; rev:1;) alert tcp $HOME_NET any -> [194.67.202.117] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202135; rev:1;) alert tcp $HOME_NET any -> [195.206.106.220] 1899 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202136; rev:1;) alert tcp $HOME_NET any -> [79.134.225.74] 3050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202137; rev:1;) alert tcp $HOME_NET any -> [85.143.221.32] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202138; rev:1;) alert tcp $HOME_NET any -> [185.203.116.78] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202139; rev:1;) alert tcp $HOME_NET any -> [5.135.67.231] 10134 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202140; rev:1;) alert tcp $HOME_NET any -> [188.120.229.38] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202141; rev:1;) alert tcp $HOME_NET any -> [134.119.177.108] 1717 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202142; rev:1;) alert tcp $HOME_NET any -> [46.29.165.244] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202143; rev:1;) alert tcp $HOME_NET any -> [119.29.177.237] 8088 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202144; rev:1;) alert tcp $HOME_NET any -> [195.133.1.208] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202145; rev:1;) alert tcp $HOME_NET any -> [194.67.78.102] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202146; rev:1;) alert tcp $HOME_NET any -> [109.196.164.75] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202147; rev:1;) alert tcp $HOME_NET any -> [93.190.93.175] 4040 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202148; rev:1;) alert tcp $HOME_NET any -> [185.193.141.59] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202149; rev:1;) alert tcp $HOME_NET any -> [46.249.59.116] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202150; rev:1;) alert tcp $HOME_NET any -> [79.134.225.90] 4782 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202151; rev:1;) alert tcp $HOME_NET any -> [107.182.187.115] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202152; rev:1;) alert tcp $HOME_NET any -> [85.143.216.198] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202153; rev:1;) alert tcp $HOME_NET any -> [85.143.223.34] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202154; rev:1;) alert tcp $HOME_NET any -> [192.3.204.165] 1414 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202155; rev:1;) alert tcp $HOME_NET any -> [180.245.57.42] 6606 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202156; rev:1;) alert tcp $HOME_NET any -> [194.87.238.60] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202157; rev:1;) alert tcp $HOME_NET any -> [62.173.145.225] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202158; rev:1;) alert tcp $HOME_NET any -> [46.29.167.164] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202159; rev:1;) alert tcp $HOME_NET any -> [194.5.98.76] 8881 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202160; rev:1;) alert tcp $HOME_NET any -> [172.82.128.243] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202161; rev:1;) alert tcp $HOME_NET any -> [79.134.225.71] 7390 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202162; rev:1;) alert tcp $HOME_NET any -> [194.5.98.88] 1994 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202163; rev:1;) alert tcp $HOME_NET any -> [109.234.39.136] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202164; rev:1;) alert tcp $HOME_NET any -> [80.78.240.45] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202165; rev:1;) alert tcp $HOME_NET any -> [185.205.210.48] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202166; rev:1;) alert tcp $HOME_NET any -> [45.129.2.205] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202167; rev:1;) alert tcp $HOME_NET any -> [176.113.82.144] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202168; rev:1;) alert tcp $HOME_NET any -> [45.128.204.95] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202169; rev:1;) alert tcp $HOME_NET any -> [85.143.223.150] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202170; rev:1;) alert tcp $HOME_NET any -> [149.154.71.176] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202171; rev:1;) alert tcp $HOME_NET any -> [79.134.225.115] 4404 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202172; rev:1;) alert tcp $HOME_NET any -> [85.143.217.217] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202173; rev:1;) alert tcp $HOME_NET any -> [45.141.103.221] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202174; rev:1;) alert tcp $HOME_NET any -> [141.255.156.100] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202175; rev:1;) alert tcp $HOME_NET any -> [159.246.29.124] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202176; rev:1;) alert tcp $HOME_NET any -> [185.31.160.32] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202177; rev:1;) alert tcp $HOME_NET any -> [85.143.218.97] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202178; rev:1;) alert tcp $HOME_NET any -> [194.67.222.131] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202179; rev:1;) alert tcp $HOME_NET any -> [194.67.78.6] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202180; rev:1;) alert tcp $HOME_NET any -> [194.67.78.6] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202181; rev:1;) alert tcp $HOME_NET any -> [194.58.108.187] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202182; rev:1;) alert tcp $HOME_NET any -> [194.58.108.187] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202183; rev:1;) alert tcp $HOME_NET any -> [82.146.57.135] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202184; rev:1;) alert tcp $HOME_NET any -> [185.31.160.250] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202185; rev:1;) alert tcp $HOME_NET any -> [62.173.140.58] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202186; rev:1;) alert tcp $HOME_NET any -> [195.128.126.234] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202187; rev:1;) alert tcp $HOME_NET any -> [89.108.64.177] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202188; rev:1;) alert tcp $HOME_NET any -> [185.173.178.175] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202189; rev:1;) alert tcp $HOME_NET any -> [23.105.131.169] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202190; rev:1;) alert tcp $HOME_NET any -> [79.134.225.72] 1819 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202191; rev:1;) alert tcp $HOME_NET any -> [79.134.225.11] 1199 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202192; rev:1;) alert tcp $HOME_NET any -> [62.109.17.122] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202193; rev:1;) alert tcp $HOME_NET any -> [185.225.17.154] 443 (msg:"SSLBL: Traffic to malicious host (likely Bolek C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202194; rev:1;) alert tcp $HOME_NET any -> [45.88.78.10] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202195; rev:1;) alert tcp $HOME_NET any -> [51.91.175.220] 4558 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202196; rev:1;) alert tcp $HOME_NET any -> [110.141.230.15] 10134 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202197; rev:1;) alert tcp $HOME_NET any -> [74.208.64.187] 3389 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202198; rev:1;) alert tcp $HOME_NET any -> [79.134.225.75] 1313 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202199; rev:1;) alert tcp $HOME_NET any -> [85.114.136.176] 4558 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202200; rev:1;) alert tcp $HOME_NET any -> [185.177.59.98] 1040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202201; rev:1;) alert tcp $HOME_NET any -> [212.109.218.122] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202202; rev:1;) alert tcp $HOME_NET any -> [185.41.161.200] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202203; rev:1;) alert tcp $HOME_NET any -> [85.143.216.250] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202204; rev:1;) alert tcp $HOME_NET any -> [193.37.213.33] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202205; rev:1;) alert tcp $HOME_NET any -> [74.124.24.29] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202206; rev:1;) alert tcp $HOME_NET any -> [193.124.117.45] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202207; rev:1;) alert tcp $HOME_NET any -> [185.94.191.37] 5201 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202208; rev:1;) alert tcp $HOME_NET any -> [85.143.216.89] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202209; rev:1;) alert tcp $HOME_NET any -> [195.133.147.138] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202210; rev:1;) alert tcp $HOME_NET any -> [184.164.139.213] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202211; rev:1;) alert tcp $HOME_NET any -> [46.29.167.113] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202212; rev:1;) alert tcp $HOME_NET any -> [179.60.144.143] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202213; rev:1;) alert tcp $HOME_NET any -> [185.244.31.119] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202214; rev:1;) alert tcp $HOME_NET any -> [185.157.161.147] 65301 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202215; rev:1;) alert tcp $HOME_NET any -> [185.244.31.92] 9341 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202216; rev:1;) alert tcp $HOME_NET any -> [91.92.128.188] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202217; rev:1;) alert tcp $HOME_NET any -> [109.234.34.133] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202218; rev:1;) alert tcp $HOME_NET any -> [185.205.210.163] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202219; rev:1;) alert tcp $HOME_NET any -> [185.193.141.166] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202220; rev:1;) alert tcp $HOME_NET any -> [5.253.61.186] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202221; rev:1;) alert tcp $HOME_NET any -> [89.108.65.150] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202222; rev:1;) alert tcp $HOME_NET any -> [194.67.209.128] 1029 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202223; rev:1;) alert tcp $HOME_NET any -> [5.39.218.206] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202224; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 44611 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202225; rev:1;) alert tcp $HOME_NET any -> [85.217.171.237] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202226; rev:1;) alert tcp $HOME_NET any -> [77.73.69.39] 443 (msg:"SSLBL: Traffic to malicious host (likely FindPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202227; rev:1;) alert tcp $HOME_NET any -> [185.163.45.199] 1780 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202228; rev:1;) alert tcp $HOME_NET any -> [185.163.45.63] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202229; rev:1;) alert tcp $HOME_NET any -> [66.154.102.118] 9412 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202230; rev:1;) alert tcp $HOME_NET any -> [77.83.174.121] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202231; rev:1;) alert tcp $HOME_NET any -> [185.205.210.60] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202232; rev:1;) alert tcp $HOME_NET any -> [185.205.210.60] 1040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202233; rev:1;) alert tcp $HOME_NET any -> [177.133.246.134] 9830 (msg:"SSLBL: Traffic to malicious host (likely njrat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202234; rev:1;) alert tcp $HOME_NET any -> [185.163.45.175] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202235; rev:1;) alert tcp $HOME_NET any -> [185.163.45.175] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202236; rev:1;) alert tcp $HOME_NET any -> [172.111.250.235] 6601 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202237; rev:1;) alert tcp $HOME_NET any -> [185.50.248.46] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202238; rev:1;) alert tcp $HOME_NET any -> [46.4.167.227] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202239; rev:1;) alert tcp $HOME_NET any -> [178.124.140.146] 9030 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202240; rev:1;) alert tcp $HOME_NET any -> [89.223.94.18] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202241; rev:1;) alert tcp $HOME_NET any -> [185.244.31.84] 9988 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202242; rev:1;) alert tcp $HOME_NET any -> [178.156.202.242] 2050 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202243; rev:1;) alert tcp $HOME_NET any -> [3.14.212.173] 10836 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202244; rev:1;) alert tcp $HOME_NET any -> [185.203.117.118] 1020 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202245; rev:1;) alert tcp $HOME_NET any -> [93.170.76.77] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202246; rev:1;) alert tcp $HOME_NET any -> [94.158.245.123] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202247; rev:1;) alert tcp $HOME_NET any -> [82.146.34.237] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202248; rev:1;) alert tcp $HOME_NET any -> [31.220.43.160] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202249; rev:1;) alert tcp $HOME_NET any -> [5.252.178.9] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202250; rev:1;) alert tcp $HOME_NET any -> [185.165.153.161] 6776 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202251; rev:1;) alert tcp $HOME_NET any -> [46.249.59.119] 443 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202252; rev:1;) alert tcp $HOME_NET any -> [79.134.225.121] 9992 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202253; rev:1;) alert tcp $HOME_NET any -> [94.156.35.241] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202254; rev:1;) alert tcp $HOME_NET any -> [104.168.197.211] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202255; rev:1;) alert tcp $HOME_NET any -> [45.61.49.107] 2444 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202256; rev:1;) alert tcp $HOME_NET any -> [185.159.129.138] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202257; rev:1;) alert tcp $HOME_NET any -> [185.165.153.4] 1997 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202258; rev:1;) alert tcp $HOME_NET any -> [185.165.153.145] 2016 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202259; rev:1;) alert tcp $HOME_NET any -> [46.21.153.72] 1506 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202260; rev:1;) alert tcp $HOME_NET any -> [197.255.225.249] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202261; rev:1;) alert tcp $HOME_NET any -> [188.227.212.233] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202262; rev:1;) alert tcp $HOME_NET any -> [185.203.118.180] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202263; rev:1;) alert tcp $HOME_NET any -> [81.16.141.28] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202264; rev:1;) alert tcp $HOME_NET any -> [213.208.152.205] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202265; rev:1;) alert tcp $HOME_NET any -> [185.61.138.206] 25565 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202266; rev:1;) alert tcp $HOME_NET any -> [37.75.34.239] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202267; rev:1;) alert tcp $HOME_NET any -> [176.227.191.12] 1337 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202268; rev:1;) alert tcp $HOME_NET any -> [177.133.239.37] 6606 (msg:"SSLBL: Traffic to malicious host (likely njrat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202269; rev:1;) alert tcp $HOME_NET any -> [91.148.141.76] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202270; rev:1;) alert tcp $HOME_NET any -> [185.225.17.169] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202271; rev:1;) alert tcp $HOME_NET any -> [93.170.76.177] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202272; rev:1;) alert tcp $HOME_NET any -> [192.99.135.121] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202273; rev:1;) alert tcp $HOME_NET any -> [109.185.156.241] 5555 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202274; rev:1;) alert tcp $HOME_NET any -> [213.188.152.96] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202275; rev:1;) alert tcp $HOME_NET any -> [91.132.139.145] 5020 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202276; rev:1;) alert tcp $HOME_NET any -> [72.44.80.19] 443 (msg:"SSLBL: Traffic to malicious host (likely FindPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202277; rev:1;) alert tcp $HOME_NET any -> [194.147.34.103] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202278; rev:1;) alert tcp $HOME_NET any -> [161.129.67.135] 6722 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202279; rev:1;) alert tcp $HOME_NET any -> [189.47.95.154] 3570 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202280; rev:1;) alert tcp $HOME_NET any -> [51.75.17.4] 10135 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202281; rev:1;) alert tcp $HOME_NET any -> [78.138.107.12] 7779 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202282; rev:1;) alert tcp $HOME_NET any -> [46.17.46.71] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202283; rev:1;) alert tcp $HOME_NET any -> [185.244.29.219] 58030 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202284; rev:1;) alert tcp $HOME_NET any -> [185.247.228.24] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202285; rev:1;) alert tcp $HOME_NET any -> [103.87.48.66] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202286; rev:1;) alert tcp $HOME_NET any -> [185.217.1.185] 911 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202287; rev:1;) alert tcp $HOME_NET any -> [45.74.1.12] 1155 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202288; rev:1;) alert tcp $HOME_NET any -> [185.247.228.191] 5954 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202289; rev:1;) alert tcp $HOME_NET any -> [45.227.255.117] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202290; rev:1;) alert tcp $HOME_NET any -> [94.158.245.154] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202291; rev:1;) alert tcp $HOME_NET any -> [138.121.24.78] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202292; rev:1;) alert tcp $HOME_NET any -> [185.205.209.96] 1040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202293; rev:1;) alert tcp $HOME_NET any -> [185.222.57.157] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202294; rev:1;) alert tcp $HOME_NET any -> [185.247.228.69] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202295; rev:1;) alert tcp $HOME_NET any -> [200.171.231.146] 3570 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202296; rev:1;) alert tcp $HOME_NET any -> [185.217.1.151] 9030 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202297; rev:1;) alert tcp $HOME_NET any -> [168.227.229.112] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202298; rev:1;) alert tcp $HOME_NET any -> [193.56.28.172] 1944 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202299; rev:1;) alert tcp $HOME_NET any -> [51.75.154.197] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202300; rev:1;) alert tcp $HOME_NET any -> [185.247.228.177] 6776 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202301; rev:1;) alert tcp $HOME_NET any -> [64.44.42.148] 1604 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202302; rev:1;) alert tcp $HOME_NET any -> [185.247.228.53] 8057 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202303; rev:1;) alert tcp $HOME_NET any -> [178.239.21.5] 1313 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202304; rev:1;) alert tcp $HOME_NET any -> [131.0.142.120] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202305; rev:1;) alert tcp $HOME_NET any -> [185.186.244.99] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202306; rev:1;) alert tcp $HOME_NET any -> [185.247.228.128] 2016 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202307; rev:1;) alert tcp $HOME_NET any -> [177.8.172.86] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202308; rev:1;) alert tcp $HOME_NET any -> [45.89.230.243] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202309; rev:1;) alert tcp $HOME_NET any -> [187.74.75.191] 3570 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202310; rev:1;) alert tcp $HOME_NET any -> [177.76.22.91] 3570 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202311; rev:1;) alert tcp $HOME_NET any -> [201.0.106.138] 3570 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202312; rev:1;) alert tcp $HOME_NET any -> [188.215.229.215] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202313; rev:1;) alert tcp $HOME_NET any -> [46.17.40.81] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202314; rev:1;) alert tcp $HOME_NET any -> [46.17.40.254] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202315; rev:1;) alert tcp $HOME_NET any -> [154.16.93.179] 2019 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202316; rev:1;) alert tcp $HOME_NET any -> [179.180.17.194] 9830 (msg:"SSLBL: Traffic to malicious host (likely njrat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202317; rev:1;) alert tcp $HOME_NET any -> [91.193.75.22] 1604 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202318; rev:1;) alert tcp $HOME_NET any -> [95.211.214.43] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202319; rev:1;) alert tcp $HOME_NET any -> [175.126.82.55] 8888 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202320; rev:1;) alert tcp $HOME_NET any -> [46.17.40.59] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202321; rev:1;) alert tcp $HOME_NET any -> [185.247.228.18] 8787 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202322; rev:1;) alert tcp $HOME_NET any -> [5.39.119.175] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202323; rev:1;) alert tcp $HOME_NET any -> [91.218.65.24] 1337 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202324; rev:1;) alert tcp $HOME_NET any -> [89.223.90.229] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202325; rev:1;) alert tcp $HOME_NET any -> [194.165.3.28] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202326; rev:1;) alert tcp $HOME_NET any -> [94.158.245.4] 1780 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202327; rev:1;) alert tcp $HOME_NET any -> [185.247.228.28] 587 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202328; rev:1;) alert tcp $HOME_NET any -> [54.38.127.22] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202329; rev:1;) alert tcp $HOME_NET any -> [134.119.180.105] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202330; rev:1;) alert tcp $HOME_NET any -> [141.255.166.157] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202331; rev:1;) alert tcp $HOME_NET any -> [93.170.76.57] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202332; rev:1;) alert tcp $HOME_NET any -> [190.13.160.19] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202333; rev:1;) alert tcp $HOME_NET any -> [185.247.228.69] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202334; rev:1;) alert tcp $HOME_NET any -> [185.193.141.65] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202335; rev:1;) alert tcp $HOME_NET any -> [185.247.228.31] 1313 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202336; rev:1;) alert tcp $HOME_NET any -> [67.253.236.155] 111 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202337; rev:1;) alert tcp $HOME_NET any -> [46.17.44.67] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202338; rev:1;) alert tcp $HOME_NET any -> [93.90.193.189] 9341 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202339; rev:1;) alert tcp $HOME_NET any -> [185.225.17.150] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202340; rev:1;) alert tcp $HOME_NET any -> [93.170.76.89] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202341; rev:1;) alert tcp $HOME_NET any -> [94.130.156.219] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202342; rev:1;) alert tcp $HOME_NET any -> [64.44.42.201] 6677 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202343; rev:1;) alert tcp $HOME_NET any -> [188.209.52.219] 25565 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202344; rev:1;) alert tcp $HOME_NET any -> [62.109.24.227] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202345; rev:1;) alert tcp $HOME_NET any -> [93.189.149.176] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202346; rev:1;) alert tcp $HOME_NET any -> [185.247.228.16] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202347; rev:1;) alert tcp $HOME_NET any -> [187.110.100.122] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202348; rev:1;) alert tcp $HOME_NET any -> [211.47.153.128] 1002 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202349; rev:1;) alert tcp $HOME_NET any -> [5.188.60.74] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202350; rev:1;) alert tcp $HOME_NET any -> [176.227.191.12] 2002 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202351; rev:1;) alert tcp $HOME_NET any -> [81.177.6.162] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202352; rev:1;) alert tcp $HOME_NET any -> [185.205.209.2] 1020 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202353; rev:1;) alert tcp $HOME_NET any -> [178.239.21.45] 9030 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202354; rev:1;) alert tcp $HOME_NET any -> [185.205.209.2] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202355; rev:1;) alert tcp $HOME_NET any -> [31.214.157.78] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202356; rev:1;) alert tcp $HOME_NET any -> [185.217.1.190] 1337 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202357; rev:1;) alert tcp $HOME_NET any -> [23.81.246.143] 1013 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202358; rev:1;) alert tcp $HOME_NET any -> [177.183.194.194] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202359; rev:1;) alert tcp $HOME_NET any -> [185.244.31.62] 5780 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202360; rev:1;) alert tcp $HOME_NET any -> [91.193.75.130] 7075 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202361; rev:1;) alert tcp $HOME_NET any -> [178.239.21.21] 9298 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202362; rev:1;) alert tcp $HOME_NET any -> [95.167.151.233] 9030 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202363; rev:1;) alert tcp $HOME_NET any -> [200.35.56.81] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202364; rev:1;) alert tcp $HOME_NET any -> [93.170.76.123] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202365; rev:1;) alert tcp $HOME_NET any -> [103.74.91.27] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202366; rev:1;) alert tcp $HOME_NET any -> [91.193.75.77] 7272 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202367; rev:1;) alert tcp $HOME_NET any -> [91.193.75.135] 5954 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202368; rev:1;) alert tcp $HOME_NET any -> [213.208.129.205] 5500 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202369; rev:1;) alert tcp $HOME_NET any -> [194.5.98.25] 8856 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202370; rev:1;) alert tcp $HOME_NET any -> [31.214.157.249] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202371; rev:1;) alert tcp $HOME_NET any -> [79.9.88.117] 5147 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202372; rev:1;) alert tcp $HOME_NET any -> [185.203.117.3] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202373; rev:1;) alert tcp $HOME_NET any -> [213.208.129.195] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202374; rev:1;) alert tcp $HOME_NET any -> [134.209.78.214] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202375; rev:1;) alert tcp $HOME_NET any -> [91.193.75.61] 6343 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202376; rev:1;) alert tcp $HOME_NET any -> [185.244.31.90] 4132 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202377; rev:1;) alert tcp $HOME_NET any -> [85.117.234.10] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202378; rev:1;) alert tcp $HOME_NET any -> [181.129.49.98] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202379; rev:1;) alert tcp $HOME_NET any -> [181.129.140.140] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202380; rev:1;) alert tcp $HOME_NET any -> [147.135.60.142] 4030 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202381; rev:1;) alert tcp $HOME_NET any -> [109.236.80.32] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202382; rev:1;) alert tcp $HOME_NET any -> [181.112.145.222] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202383; rev:1;) alert tcp $HOME_NET any -> [185.244.31.43] 2016 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202384; rev:1;) alert tcp $HOME_NET any -> [147.135.60.142] 4000 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202385; rev:1;) alert tcp $HOME_NET any -> [177.52.79.29] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202386; rev:1;) alert tcp $HOME_NET any -> [66.70.164.168] 5954 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202387; rev:1;) alert tcp $HOME_NET any -> [91.193.75.85] 4545 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202388; rev:1;) alert tcp $HOME_NET any -> [200.110.72.134] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202389; rev:1;) alert tcp $HOME_NET any -> [185.244.29.19] 22209 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202390; rev:1;) alert tcp $HOME_NET any -> [93.170.76.18] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202391; rev:1;) alert tcp $HOME_NET any -> [5.206.226.46] 4749 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202392; rev:1;) alert tcp $HOME_NET any -> [109.236.80.32] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202393; rev:1;) alert tcp $HOME_NET any -> [185.247.228.23] 5543 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202394; rev:1;) alert tcp $HOME_NET any -> [177.52.28.238] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202395; rev:1;) alert tcp $HOME_NET any -> [91.193.75.234] 6177 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202396; rev:1;) alert tcp $HOME_NET any -> [185.141.61.192] 1507 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202397; rev:1;) alert tcp $HOME_NET any -> [185.228.234.41] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202398; rev:1;) alert tcp $HOME_NET any -> [186.248.163.198] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202399; rev:1;) alert tcp $HOME_NET any -> [45.74.1.41] 1155 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202400; rev:1;) alert tcp $HOME_NET any -> [91.193.75.138] 5195 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202401; rev:1;) alert tcp $HOME_NET any -> [200.107.59.130] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202402; rev:1;) alert tcp $HOME_NET any -> [181.112.221.246] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202403; rev:1;) alert tcp $HOME_NET any -> [186.42.186.202] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202404; rev:1;) alert tcp $HOME_NET any -> [187.8.169.10] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202405; rev:1;) alert tcp $HOME_NET any -> [187.95.123.179] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202406; rev:1;) alert tcp $HOME_NET any -> [151.106.0.80] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202407; rev:1;) alert tcp $HOME_NET any -> [41.231.120.141] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202408; rev:1;) alert tcp $HOME_NET any -> [138.186.62.222] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202409; rev:1;) alert tcp $HOME_NET any -> [41.231.120.136] 15290 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202410; rev:1;) alert tcp $HOME_NET any -> [187.65.49.88] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202411; rev:1;) alert tcp $HOME_NET any -> [191.242.178.210] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202412; rev:1;) alert tcp $HOME_NET any -> [158.69.144.70] 6343 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202413; rev:1;) alert tcp $HOME_NET any -> [185.244.31.230] 2094 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202414; rev:1;) alert tcp $HOME_NET any -> [191.241.233.195] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202415; rev:1;) alert tcp $HOME_NET any -> [41.231.120.140] 2233 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202416; rev:1;) alert tcp $HOME_NET any -> [91.192.100.47] 7795 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202417; rev:1;) alert tcp $HOME_NET any -> [161.129.65.104] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202418; rev:1;) alert tcp $HOME_NET any -> [45.74.1.201] 1155 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202419; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 38786 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202420; rev:1;) alert tcp $HOME_NET any -> [185.143.145.90] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202421; rev:1;) alert tcp $HOME_NET any -> [185.62.189.186] 4749 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202422; rev:1;) alert tcp $HOME_NET any -> [91.192.100.27] 1985 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202423; rev:1;) alert tcp $HOME_NET any -> [109.248.222.98] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202424; rev:1;) alert tcp $HOME_NET any -> [185.164.72.234] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202425; rev:1;) alert tcp $HOME_NET any -> [185.244.31.157] 9002 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202426; rev:1;) alert tcp $HOME_NET any -> [185.244.31.160] 7075 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202427; rev:1;) alert tcp $HOME_NET any -> [185.236.203.170] 4020 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202428; rev:1;) alert tcp $HOME_NET any -> [62.108.37.6] 5252 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202429; rev:1;) alert tcp $HOME_NET any -> [91.192.100.46] 4545 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202430; rev:1;) alert tcp $HOME_NET any -> [79.180.33.229] 1604 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202431; rev:1;) alert tcp $HOME_NET any -> [195.69.187.86] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202432; rev:1;) alert tcp $HOME_NET any -> [46.17.40.153] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202433; rev:1;) alert tcp $HOME_NET any -> [161.129.66.19] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202434; rev:1;) alert tcp $HOME_NET any -> [185.62.188.109] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202435; rev:1;) alert tcp $HOME_NET any -> [202.95.13.9] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202436; rev:1;) alert tcp $HOME_NET any -> [40.89.157.54] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202437; rev:1;) alert tcp $HOME_NET any -> [109.248.222.237] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202438; rev:1;) alert tcp $HOME_NET any -> [109.230.199.24] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202439; rev:1;) alert tcp $HOME_NET any -> [185.163.45.48] 3290 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202440; rev:1;) alert tcp $HOME_NET any -> [91.193.75.110] 4125 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202441; rev:1;) alert tcp $HOME_NET any -> [185.163.45.48] 7795 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202442; rev:1;) alert tcp $HOME_NET any -> [188.120.226.212] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202443; rev:1;) alert tcp $HOME_NET any -> [185.247.228.109] 4132 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202444; rev:1;) alert tcp $HOME_NET any -> [185.165.153.187] 2250 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202445; rev:1;) alert tcp $HOME_NET any -> [185.103.110.32] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202446; rev:1;) alert tcp $HOME_NET any -> [91.192.100.27] 5567 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202447; rev:1;) alert tcp $HOME_NET any -> [93.170.129.78] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202448; rev:1;) alert tcp $HOME_NET any -> [185.165.153.184] 2019 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202449; rev:1;) alert tcp $HOME_NET any -> [181.129.20.250] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202450; rev:1;) alert tcp $HOME_NET any -> [46.232.113.9] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202451; rev:1;) alert tcp $HOME_NET any -> [185.198.57.70] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202452; rev:1;) alert tcp $HOME_NET any -> [178.57.218.162] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202453; rev:1;) alert tcp $HOME_NET any -> [176.32.35.55] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202454; rev:1;) alert tcp $HOME_NET any -> [88.119.179.177] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202455; rev:1;) alert tcp $HOME_NET any -> [185.247.228.41] 2016 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202456; rev:1;) alert tcp $HOME_NET any -> [194.147.35.95] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202457; rev:1;) alert tcp $HOME_NET any -> [185.22.154.67] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202458; rev:1;) alert tcp $HOME_NET any -> [178.239.21.27] 3242 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202459; rev:1;) alert tcp $HOME_NET any -> [185.74.255.161] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202460; rev:1;) alert tcp $HOME_NET any -> [46.17.43.107] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202461; rev:1;) alert tcp $HOME_NET any -> [46.17.45.229] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202462; rev:1;) alert tcp $HOME_NET any -> [185.247.228.25] 1123 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202463; rev:1;) alert tcp $HOME_NET any -> [89.105.195.213] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202464; rev:1;) alert tcp $HOME_NET any -> [186.159.2.153] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202465; rev:1;) alert tcp $HOME_NET any -> [185.165.153.193] 4545 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202466; rev:1;) alert tcp $HOME_NET any -> [45.32.84.150] 8080 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202467; rev:1;) alert tcp $HOME_NET any -> [82.62.44.126] 6315 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202468; rev:1;) alert tcp $HOME_NET any -> [185.206.146.146] 1030 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202469; rev:1;) alert tcp $HOME_NET any -> [185.205.209.99] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202470; rev:1;) alert tcp $HOME_NET any -> [181.48.203.10] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202471; rev:1;) alert tcp $HOME_NET any -> [143.255.141.137] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202472; rev:1;) alert tcp $HOME_NET any -> [41.231.120.132] 4125 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202473; rev:1;) alert tcp $HOME_NET any -> [185.165.153.66] 1989 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202474; rev:1;) alert tcp $HOME_NET any -> [200.54.14.61] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202475; rev:1;) alert tcp $HOME_NET any -> [181.143.102.30] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202476; rev:1;) alert tcp $HOME_NET any -> [190.151.10.114] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202477; rev:1;) alert tcp $HOME_NET any -> [93.170.76.132] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202478; rev:1;) alert tcp $HOME_NET any -> [185.66.9.114] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202479; rev:1;) alert tcp $HOME_NET any -> [185.247.228.46] 1604 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202480; rev:1;) alert tcp $HOME_NET any -> [185.165.153.22] 22112 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202481; rev:1;) alert tcp $HOME_NET any -> [51.255.130.130] 2808 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202482; rev:1;) alert tcp $HOME_NET any -> [79.1.42.72] 5147 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202483; rev:1;) alert tcp $HOME_NET any -> [181.176.191.5] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202484; rev:1;) alert tcp $HOME_NET any -> [85.119.144.126] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202485; rev:1;) alert tcp $HOME_NET any -> [190.196.32.42] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202486; rev:1;) alert tcp $HOME_NET any -> [209.45.30.2] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202487; rev:1;) alert tcp $HOME_NET any -> [190.109.165.197] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202488; rev:1;) alert tcp $HOME_NET any -> [177.105.237.93] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202489; rev:1;) alert tcp $HOME_NET any -> [77.222.60.127] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202490; rev:1;) alert tcp $HOME_NET any -> [194.28.84.254] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202491; rev:1;) alert tcp $HOME_NET any -> [91.192.100.39] 1921 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202492; rev:1;) alert tcp $HOME_NET any -> [194.68.59.55] 45201 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202493; rev:1;) alert tcp $HOME_NET any -> [190.117.66.194] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202494; rev:1;) alert tcp $HOME_NET any -> [91.192.100.6] 34022 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202495; rev:1;) alert tcp $HOME_NET any -> [46.183.223.12] 8785 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202496; rev:1;) alert tcp $HOME_NET any -> [46.17.45.108] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202497; rev:1;) alert tcp $HOME_NET any -> [185.181.209.76] 1991 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202498; rev:1;) alert tcp $HOME_NET any -> [185.156.173.122] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202499; rev:1;) alert tcp $HOME_NET any -> [178.239.21.6] 9298 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202500; rev:1;) alert tcp $HOME_NET any -> [185.136.168.134] 7776 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202501; rev:1;) alert tcp $HOME_NET any -> [188.209.52.68] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202502; rev:1;) alert tcp $HOME_NET any -> [185.136.168.134] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202503; rev:1;) alert tcp $HOME_NET any -> [190.0.20.114] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202504; rev:1;) alert tcp $HOME_NET any -> [181.115.236.26] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202505; rev:1;) alert tcp $HOME_NET any -> [185.101.94.172] 2564 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202506; rev:1;) alert tcp $HOME_NET any -> [185.139.70.61] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202507; rev:1;) alert tcp $HOME_NET any -> [181.143.17.66] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202508; rev:1;) alert tcp $HOME_NET any -> [199.195.250.222] 6679 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202509; rev:1;) alert tcp $HOME_NET any -> [91.192.100.46] 6654 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202510; rev:1;) alert tcp $HOME_NET any -> [185.189.149.215] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202511; rev:1;) alert tcp $HOME_NET any -> [103.114.107.151] 8089 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202512; rev:1;) alert tcp $HOME_NET any -> [91.230.61.178] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202513; rev:1;) alert tcp $HOME_NET any -> [194.5.97.184] 2556 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202514; rev:1;) alert tcp $HOME_NET any -> [204.16.247.226] 419 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202515; rev:1;) alert tcp $HOME_NET any -> [91.192.100.38] 7075 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202516; rev:1;) alert tcp $HOME_NET any -> [91.192.100.14] 1971 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202517; rev:1;) alert tcp $HOME_NET any -> [31.220.43.154] 8080 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202518; rev:1;) alert tcp $HOME_NET any -> [5.8.88.205] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202519; rev:1;) alert tcp $HOME_NET any -> [194.147.35.118] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202520; rev:1;) alert tcp $HOME_NET any -> [46.17.43.238] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202521; rev:1;) alert tcp $HOME_NET any -> [194.147.35.219] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202522; rev:1;) alert tcp $HOME_NET any -> [185.4.29.236] 9221 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202523; rev:1;) alert tcp $HOME_NET any -> [185.206.146.146] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202524; rev:1;) alert tcp $HOME_NET any -> [89.223.94.88] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202525; rev:1;) alert tcp $HOME_NET any -> [194.5.98.141] 6679 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202526; rev:1;) alert tcp $HOME_NET any -> [194.5.97.241] 8057 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202527; rev:1;) alert tcp $HOME_NET any -> [176.227.191.12] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202528; rev:1;) alert tcp $HOME_NET any -> [31.171.152.99] 9298 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202529; rev:1;) alert tcp $HOME_NET any -> [197.46.21.48] 7777 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202530; rev:1;) alert tcp $HOME_NET any -> [185.219.82.83] 5555 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202531; rev:1;) alert tcp $HOME_NET any -> [71.207.206.178] 7532 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202532; rev:1;) alert tcp $HOME_NET any -> [85.143.218.50] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202533; rev:1;) alert tcp $HOME_NET any -> [185.17.121.185] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202534; rev:1;) alert tcp $HOME_NET any -> [195.123.245.142] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202535; rev:1;) alert tcp $HOME_NET any -> [46.17.41.97] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202536; rev:1;) alert tcp $HOME_NET any -> [192.162.244.126] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202537; rev:1;) alert tcp $HOME_NET any -> [194.5.98.180] 6565 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202538; rev:1;) alert tcp $HOME_NET any -> [89.223.88.195] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202539; rev:1;) alert tcp $HOME_NET any -> [51.15.21.149] 60 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202540; rev:1;) alert tcp $HOME_NET any -> [185.101.94.172] 6679 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202541; rev:1;) alert tcp $HOME_NET any -> [194.147.35.218] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202542; rev:1;) alert tcp $HOME_NET any -> [177.226.176.13] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202543; rev:1;) alert tcp $HOME_NET any -> [194.5.97.16] 2212 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202544; rev:1;) alert tcp $HOME_NET any -> [194.5.97.58] 2077 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202545; rev:1;) alert tcp $HOME_NET any -> [89.223.25.193] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202546; rev:1;) alert tcp $HOME_NET any -> [46.17.45.219] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202547; rev:1;) alert tcp $HOME_NET any -> [91.192.100.39] 6778 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202548; rev:1;) alert tcp $HOME_NET any -> [185.244.29.9] 3478 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202549; rev:1;) alert tcp $HOME_NET any -> [91.192.100.48] 5954 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202550; rev:1;) alert tcp $HOME_NET any -> [144.217.89.128] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202551; rev:1;) alert tcp $HOME_NET any -> [185.244.29.31] 1880 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202552; rev:1;) alert tcp $HOME_NET any -> [178.239.21.40] 1999 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202553; rev:1;) alert tcp $HOME_NET any -> [192.3.24.248] 3478 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202554; rev:1;) alert tcp $HOME_NET any -> [31.171.152.105] 3602 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202555; rev:1;) alert tcp $HOME_NET any -> [209.97.179.217] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202556; rev:1;) alert tcp $HOME_NET any -> [91.192.100.8] 9298 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202557; rev:1;) alert tcp $HOME_NET any -> [194.5.98.250] 2256 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202558; rev:1;) alert tcp $HOME_NET any -> [93.189.149.131] 443 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202559; rev:1;) alert tcp $HOME_NET any -> [193.187.173.214] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202560; rev:1;) alert tcp $HOME_NET any -> [185.244.29.184] 1989 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202561; rev:1;) alert tcp $HOME_NET any -> [85.59.129.120] 6666 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202562; rev:1;) alert tcp $HOME_NET any -> [178.239.21.143] 9801 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202563; rev:1;) alert tcp $HOME_NET any -> [185.244.29.161] 1985 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202564; rev:1;) alert tcp $HOME_NET any -> [185.165.153.119] 6868 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202565; rev:1;) alert tcp $HOME_NET any -> [52.142.166.69] 1337 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202566; rev:1;) alert tcp $HOME_NET any -> [95.213.251.165] 5954 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202567; rev:1;) alert tcp $HOME_NET any -> [95.169.31.41] 53 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202568; rev:1;) alert tcp $HOME_NET any -> [185.244.29.52] 8511 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202569; rev:1;) alert tcp $HOME_NET any -> [186.226.188.105] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202570; rev:1;) alert tcp $HOME_NET any -> [185.158.251.52] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202571; rev:1;) alert tcp $HOME_NET any -> [194.5.97.210] 3012 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202572; rev:1;) alert tcp $HOME_NET any -> [194.5.98.16] 5551 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202573; rev:1;) alert tcp $HOME_NET any -> [194.147.34.218] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202574; rev:1;) alert tcp $HOME_NET any -> [185.158.249.17] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202575; rev:1;) alert tcp $HOME_NET any -> [185.48.56.231] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202576; rev:1;) alert tcp $HOME_NET any -> [54.37.240.237] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202577; rev:1;) alert tcp $HOME_NET any -> [84.38.129.48] 3021 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202578; rev:1;) alert tcp $HOME_NET any -> [194.5.97.5] 8484 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202579; rev:1;) alert tcp $HOME_NET any -> [91.192.100.6] 12201 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202580; rev:1;) alert tcp $HOME_NET any -> [194.5.98.58] 4435 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202581; rev:1;) alert tcp $HOME_NET any -> [185.179.188.245] 4782 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202582; rev:1;) alert tcp $HOME_NET any -> [91.192.100.47] 8332 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202583; rev:1;) alert tcp $HOME_NET any -> [178.239.21.242] 5050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202584; rev:1;) alert tcp $HOME_NET any -> [194.147.32.15] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202585; rev:1;) alert tcp $HOME_NET any -> [46.29.166.84] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202586; rev:1;) alert tcp $HOME_NET any -> [46.17.42.235] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202587; rev:1;) alert tcp $HOME_NET any -> [185.81.157.43] 1604 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202588; rev:1;) alert tcp $HOME_NET any -> [173.46.85.73] 2556 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202589; rev:1;) alert tcp $HOME_NET any -> [173.46.85.19] 9298 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202590; rev:1;) alert tcp $HOME_NET any -> [194.5.98.58] 7075 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202591; rev:1;) alert tcp $HOME_NET any -> [195.123.246.141] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202592; rev:1;) alert tcp $HOME_NET any -> [194.147.32.148] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202593; rev:1;) alert tcp $HOME_NET any -> [46.29.167.189] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202594; rev:1;) alert tcp $HOME_NET any -> [185.207.205.134] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202595; rev:1;) alert tcp $HOME_NET any -> [194.5.98.172] 7788 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202596; rev:1;) alert tcp $HOME_NET any -> [194.76.224.30] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202597; rev:1;) alert tcp $HOME_NET any -> [194.5.97.215] 8074 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202598; rev:1;) alert tcp $HOME_NET any -> [185.211.48.20] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202599; rev:1;) alert tcp $HOME_NET any -> [5.135.43.178] 4000 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202600; rev:1;) alert tcp $HOME_NET any -> [46.183.218.124] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202601; rev:1;) alert tcp $HOME_NET any -> [185.165.153.93] 76 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202602; rev:1;) alert tcp $HOME_NET any -> [178.239.21.167] 92 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202603; rev:1;) alert tcp $HOME_NET any -> [194.5.99.195] 5244 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202604; rev:1;) alert tcp $HOME_NET any -> [91.192.100.28] 7766 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202605; rev:1;) alert tcp $HOME_NET any -> [91.192.100.39] 7272 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202606; rev:1;) alert tcp $HOME_NET any -> [194.5.99.71] 5244 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202607; rev:1;) alert tcp $HOME_NET any -> [192.152.0.71] 3021 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202608; rev:1;) alert tcp $HOME_NET any -> [13.53.94.89] 25565 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202609; rev:1;) alert tcp $HOME_NET any -> [162.244.32.136] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202610; rev:1;) alert tcp $HOME_NET any -> [89.105.198.18] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202611; rev:1;) alert tcp $HOME_NET any -> [212.114.52.181] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202612; rev:1;) alert tcp $HOME_NET any -> [178.239.21.118] 4675 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202613; rev:1;) alert tcp $HOME_NET any -> [54.37.191.17] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202614; rev:1;) alert tcp $HOME_NET any -> [80.173.224.81] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202615; rev:1;) alert tcp $HOME_NET any -> [77.72.135.237] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202616; rev:1;) alert tcp $HOME_NET any -> [192.152.0.87] 7799 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202617; rev:1;) alert tcp $HOME_NET any -> [5.188.231.136] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202618; rev:1;) alert tcp $HOME_NET any -> [31.171.152.101] 4548 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202619; rev:1;) alert tcp $HOME_NET any -> [31.171.152.107] 1071 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202620; rev:1;) alert tcp $HOME_NET any -> [109.94.209.127] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202621; rev:1;) alert tcp $HOME_NET any -> [109.248.147.173] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202622; rev:1;) alert tcp $HOME_NET any -> [194.147.32.6] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202623; rev:1;) alert tcp $HOME_NET any -> [194.147.34.181] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202624; rev:1;) alert tcp $HOME_NET any -> [178.239.21.105] 1955 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202625; rev:1;) alert tcp $HOME_NET any -> [180.250.197.188] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202626; rev:1;) alert tcp $HOME_NET any -> [62.76.46.221] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202627; rev:1;) alert tcp $HOME_NET any -> [146.120.110.93] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202628; rev:1;) alert tcp $HOME_NET any -> [89.223.91.148] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202629; rev:1;) alert tcp $HOME_NET any -> [46.17.44.165] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202630; rev:1;) alert tcp $HOME_NET any -> [194.147.34.186] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202631; rev:1;) alert tcp $HOME_NET any -> [46.17.40.215] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202632; rev:1;) alert tcp $HOME_NET any -> [89.223.91.7] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202633; rev:1;) alert tcp $HOME_NET any -> [144.202.59.44] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202634; rev:1;) alert tcp $HOME_NET any -> [151.106.60.147] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202635; rev:1;) alert tcp $HOME_NET any -> [185.158.251.178] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202636; rev:1;) alert tcp $HOME_NET any -> [201.184.69.50] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202637; rev:1;) alert tcp $HOME_NET any -> [178.239.21.196] 2021 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202638; rev:1;) alert tcp $HOME_NET any -> [108.61.89.233] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202639; rev:1;) alert tcp $HOME_NET any -> [138.197.144.19] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202640; rev:1;) alert tcp $HOME_NET any -> [46.173.214.56] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202641; rev:1;) alert tcp $HOME_NET any -> [185.173.92.61] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202642; rev:1;) alert tcp $HOME_NET any -> [3.121.182.157] 1604 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202643; rev:1;) alert tcp $HOME_NET any -> [185.255.91.82] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202644; rev:1;) alert tcp $HOME_NET any -> [188.127.239.51] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202645; rev:1;) alert tcp $HOME_NET any -> [185.228.234.105] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202646; rev:1;) alert tcp $HOME_NET any -> [185.165.153.199] 18 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202647; rev:1;) alert tcp $HOME_NET any -> [185.136.168.203] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202648; rev:1;) alert tcp $HOME_NET any -> [103.1.184.108] 33444 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202649; rev:1;) alert tcp $HOME_NET any -> [46.17.41.12] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202650; rev:1;) alert tcp $HOME_NET any -> [178.239.21.122] 2525 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202651; rev:1;) alert tcp $HOME_NET any -> [213.152.161.15] 21483 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202652; rev:1;) alert tcp $HOME_NET any -> [212.114.52.169] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202653; rev:1;) alert tcp $HOME_NET any -> [195.123.245.201] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202654; rev:1;) alert tcp $HOME_NET any -> [185.246.116.239] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202655; rev:1;) alert tcp $HOME_NET any -> [46.17.44.145] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202656; rev:1;) alert tcp $HOME_NET any -> [46.173.214.83] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202657; rev:1;) alert tcp $HOME_NET any -> [181.115.168.69] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202658; rev:1;) alert tcp $HOME_NET any -> [46.17.41.15] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202659; rev:1;) alert tcp $HOME_NET any -> [173.46.85.207] 7134 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202660; rev:1;) alert tcp $HOME_NET any -> [173.46.85.126] 5954 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202661; rev:1;) alert tcp $HOME_NET any -> [46.17.45.170] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202662; rev:1;) alert tcp $HOME_NET any -> [185.244.29.70] 1989 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202663; rev:1;) alert tcp $HOME_NET any -> [185.86.150.235] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202664; rev:1;) alert tcp $HOME_NET any -> [195.54.162.197] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202665; rev:1;) alert tcp $HOME_NET any -> [45.35.190.6] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202666; rev:1;) alert tcp $HOME_NET any -> [89.238.181.106] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202667; rev:1;) alert tcp $HOME_NET any -> [185.236.203.181] 4040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202668; rev:1;) alert tcp $HOME_NET any -> [185.165.153.106] 5888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202669; rev:1;) alert tcp $HOME_NET any -> [185.22.154.191] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202670; rev:1;) alert tcp $HOME_NET any -> [89.223.28.225] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202671; rev:1;) alert tcp $HOME_NET any -> [186.138.152.228] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202672; rev:1;) alert tcp $HOME_NET any -> [89.223.28.167] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202673; rev:1;) alert tcp $HOME_NET any -> [185.86.148.251] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202674; rev:1;) alert tcp $HOME_NET any -> [46.148.26.88] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202675; rev:1;) alert tcp $HOME_NET any -> [185.206.145.100] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202676; rev:1;) alert tcp $HOME_NET any -> [178.239.21.163] 6190 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202677; rev:1;) alert tcp $HOME_NET any -> [185.236.203.142] 1717 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202678; rev:1;) alert tcp $HOME_NET any -> [91.192.100.14] 1130 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202679; rev:1;) alert tcp $HOME_NET any -> [31.171.152.99] 4040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202680; rev:1;) alert tcp $HOME_NET any -> [31.171.152.107] 1966 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202681; rev:1;) alert tcp $HOME_NET any -> [185.165.153.34] 7210 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202682; rev:1;) alert tcp $HOME_NET any -> [108.170.60.189] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202683; rev:1;) alert tcp $HOME_NET any -> [185.77.129.11] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202684; rev:1;) alert tcp $HOME_NET any -> [185.244.30.113] 6649 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202685; rev:1;) alert tcp $HOME_NET any -> [82.199.134.139] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202686; rev:1;) alert tcp $HOME_NET any -> [185.244.30.120] 1130 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202687; rev:1;) alert tcp $HOME_NET any -> [5.206.225.115] 5000 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202688; rev:1;) alert tcp $HOME_NET any -> [181.196.61.110] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202689; rev:1;) alert tcp $HOME_NET any -> [54.38.146.43] 8888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202690; rev:1;) alert tcp $HOME_NET any -> [5.2.64.188] 5299 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202691; rev:1;) alert tcp $HOME_NET any -> [185.212.47.103] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202692; rev:1;) alert tcp $HOME_NET any -> [83.166.245.213] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202693; rev:1;) alert tcp $HOME_NET any -> [194.76.225.59] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202694; rev:1;) alert tcp $HOME_NET any -> [194.5.98.193] 8008 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202695; rev:1;) alert tcp $HOME_NET any -> [5.2.67.66] 5299 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202696; rev:1;) alert tcp $HOME_NET any -> [95.213.251.165] 1900 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202697; rev:1;) alert tcp $HOME_NET any -> [186.183.199.114] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202698; rev:1;) alert tcp $HOME_NET any -> [181.215.47.171] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202699; rev:1;) alert tcp $HOME_NET any -> [173.46.85.68] 2016 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202700; rev:1;) alert tcp $HOME_NET any -> [194.5.98.56] 5532 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202701; rev:1;) alert tcp $HOME_NET any -> [194.5.99.158] 7210 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202702; rev:1;) alert tcp $HOME_NET any -> [46.17.47.216] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202703; rev:1;) alert tcp $HOME_NET any -> [37.59.134.55] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202704; rev:1;) alert tcp $HOME_NET any -> [173.46.85.234] 7578 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202705; rev:1;) alert tcp $HOME_NET any -> [186.42.226.46] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202706; rev:1;) alert tcp $HOME_NET any -> [185.158.248.92] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202707; rev:1;) alert tcp $HOME_NET any -> [5.8.88.125] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202708; rev:1;) alert tcp $HOME_NET any -> [173.46.85.19] 1996 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202709; rev:1;) alert tcp $HOME_NET any -> [194.5.99.136] 6229 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202710; rev:1;) alert tcp $HOME_NET any -> [185.205.210.139] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202711; rev:1;) alert tcp $HOME_NET any -> [185.236.203.60] 6767 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202712; rev:1;) alert tcp $HOME_NET any -> [194.5.98.194] 5090 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202713; rev:1;) alert tcp $HOME_NET any -> [173.46.85.161] 3040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202714; rev:1;) alert tcp $HOME_NET any -> [185.156.174.115] 19741 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202715; rev:1;) alert tcp $HOME_NET any -> [185.125.205.91] 2888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202716; rev:1;) alert tcp $HOME_NET any -> [185.174.173.128] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202717; rev:1;) alert tcp $HOME_NET any -> [178.239.21.106] 8899 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202718; rev:1;) alert tcp $HOME_NET any -> [194.5.99.2] 1995 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202719; rev:1;) alert tcp $HOME_NET any -> [185.244.30.114] 5007 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202720; rev:1;) alert tcp $HOME_NET any -> [185.125.205.73] 2889 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202721; rev:1;) alert tcp $HOME_NET any -> [193.29.56.44] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202722; rev:1;) alert tcp $HOME_NET any -> [45.55.36.231] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202723; rev:1;) alert tcp $HOME_NET any -> [194.5.99.7] 9000 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202724; rev:1;) alert tcp $HOME_NET any -> [194.5.98.104] 7075 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202725; rev:1;) alert tcp $HOME_NET any -> [31.171.152.103] 5011 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202726; rev:1;) alert tcp $HOME_NET any -> [87.236.22.142] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202727; rev:1;) alert tcp $HOME_NET any -> [144.76.215.117] 5050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202728; rev:1;) alert tcp $HOME_NET any -> [194.5.98.56] 5542 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202729; rev:1;) alert tcp $HOME_NET any -> [91.192.100.52] 2225 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202730; rev:1;) alert tcp $HOME_NET any -> [194.5.99.226] 1785 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202731; rev:1;) alert tcp $HOME_NET any -> [140.82.48.224] 3040 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202732; rev:1;) alert tcp $HOME_NET any -> [173.46.85.98] 20982 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202733; rev:1;) alert tcp $HOME_NET any -> [185.244.30.114] 8891 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202734; rev:1;) alert tcp $HOME_NET any -> [45.249.90.124] 7322 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202735; rev:1;) alert tcp $HOME_NET any -> [194.5.98.38] 8899 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202736; rev:1;) alert tcp $HOME_NET any -> [185.125.205.75] 4040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202737; rev:1;) alert tcp $HOME_NET any -> [31.7.188.40] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202738; rev:1;) alert tcp $HOME_NET any -> [185.203.118.6] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202739; rev:1;) alert tcp $HOME_NET any -> [185.141.62.213] 1020 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202740; rev:1;) alert tcp $HOME_NET any -> [194.5.99.207] 2888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202741; rev:1;) alert tcp $HOME_NET any -> [194.5.99.159] 2121 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202742; rev:1;) alert tcp $HOME_NET any -> [173.46.85.60] 3030 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202743; rev:1;) alert tcp $HOME_NET any -> [195.123.227.20] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202744; rev:1;) alert tcp $HOME_NET any -> [92.222.10.99] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202745; rev:1;) alert tcp $HOME_NET any -> [185.244.30.114] 92 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202746; rev:1;) alert tcp $HOME_NET any -> [185.244.30.105] 5689 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202747; rev:1;) alert tcp $HOME_NET any -> [94.103.83.137] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202748; rev:1;) alert tcp $HOME_NET any -> [185.125.205.69] 5843 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202749; rev:1;) alert tcp $HOME_NET any -> [194.5.98.56] 7742 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202750; rev:1;) alert tcp $HOME_NET any -> [181.129.171.34] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202751; rev:1;) alert tcp $HOME_NET any -> [173.46.85.60] 2040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202752; rev:1;) alert tcp $HOME_NET any -> [91.192.100.16] 5738 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202753; rev:1;) alert tcp $HOME_NET any -> [81.177.141.211] 443 (msg:"SSLBL: Traffic to malicious host (likely PredatorStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202754; rev:1;) alert tcp $HOME_NET any -> [194.99.20.254] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202755; rev:1;) alert tcp $HOME_NET any -> [195.123.245.90] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202756; rev:1;) alert tcp $HOME_NET any -> [185.202.174.91] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202757; rev:1;) alert tcp $HOME_NET any -> [181.215.247.164] 1973 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202758; rev:1;) alert tcp $HOME_NET any -> [91.192.100.40] 5290 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202759; rev:1;) alert tcp $HOME_NET any -> [46.166.173.109] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202760; rev:1;) alert tcp $HOME_NET any -> [185.244.30.101] 1985 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202761; rev:1;) alert tcp $HOME_NET any -> [185.244.30.106] 7799 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202762; rev:1;) alert tcp $HOME_NET any -> [68.183.249.84] 3040 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202763; rev:1;) alert tcp $HOME_NET any -> [185.244.30.109] 5552 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202764; rev:1;) alert tcp $HOME_NET any -> [185.22.65.5] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202765; rev:1;) alert tcp $HOME_NET any -> [185.244.30.109] 7742 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202766; rev:1;) alert tcp $HOME_NET any -> [185.244.30.113] 7328 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202767; rev:1;) alert tcp $HOME_NET any -> [194.5.98.226] 1994 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202768; rev:1;) alert tcp $HOME_NET any -> [173.46.85.71] 4379 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202769; rev:1;) alert tcp $HOME_NET any -> [94.185.86.56] 4000 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202770; rev:1;) alert tcp $HOME_NET any -> [54.37.86.44] 443 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202771; rev:1;) alert tcp $HOME_NET any -> [18.221.114.76] 1515 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202772; rev:1;) alert tcp $HOME_NET any -> [78.155.220.198] 443 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202773; rev:1;) alert tcp $HOME_NET any -> [138.197.148.53] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202774; rev:1;) alert tcp $HOME_NET any -> [181.129.146.34] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202775; rev:1;) alert tcp $HOME_NET any -> [185.236.203.53] 443 (msg:"SSLBL: Traffic to malicious host (likely Zebrocy C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202776; rev:1;) alert tcp $HOME_NET any -> [212.73.150.215] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202777; rev:1;) alert tcp $HOME_NET any -> [185.158.249.233] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202778; rev:1;) alert tcp $HOME_NET any -> [194.5.98.139] 9030 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202779; rev:1;) alert tcp $HOME_NET any -> [192.99.212.140] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202780; rev:1;) alert tcp $HOME_NET any -> [199.21.106.189] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202781; rev:1;) alert tcp $HOME_NET any -> [185.244.30.93] 9888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202782; rev:1;) alert tcp $HOME_NET any -> [162.244.32.180] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware distribution traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202783; rev:1;) alert tcp $HOME_NET any -> [213.152.161.138] 55314 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202784; rev:1;) alert tcp $HOME_NET any -> [194.5.99.67] 2888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202785; rev:1;) alert tcp $HOME_NET any -> [85.217.170.62] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202786; rev:1;) alert tcp $HOME_NET any -> [185.158.251.60] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202787; rev:1;) alert tcp $HOME_NET any -> [82.199.134.156] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202788; rev:1;) alert tcp $HOME_NET any -> [185.125.205.79] 8511 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202789; rev:1;) alert tcp $HOME_NET any -> [173.46.85.205] 8074 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202790; rev:1;) alert tcp $HOME_NET any -> [31.171.152.107] 4389 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202791; rev:1;) alert tcp $HOME_NET any -> [91.192.100.48] 1990 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202792; rev:1;) alert tcp $HOME_NET any -> [91.192.100.27] 7219 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202793; rev:1;) alert tcp $HOME_NET any -> [46.17.45.29] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202794; rev:1;) alert tcp $HOME_NET any -> [136.25.2.43] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202795; rev:1;) alert tcp $HOME_NET any -> [95.47.161.68] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202796; rev:1;) alert tcp $HOME_NET any -> [192.227.248.175] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202797; rev:1;) alert tcp $HOME_NET any -> [91.192.100.44] 2888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202798; rev:1;) alert tcp $HOME_NET any -> [103.89.88.88] 8898 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202799; rev:1;) alert tcp $HOME_NET any -> [46.183.223.10] 7650 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202800; rev:1;) alert tcp $HOME_NET any -> [185.244.30.121] 4379 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202801; rev:1;) alert tcp $HOME_NET any -> [68.111.123.100] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202802; rev:1;) alert tcp $HOME_NET any -> [81.177.180.174] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202803; rev:1;) alert tcp $HOME_NET any -> [194.5.99.250] 683 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202804; rev:1;) alert tcp $HOME_NET any -> [194.5.99.97] 683 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202805; rev:1;) alert tcp $HOME_NET any -> [194.5.98.148] 8057 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202806; rev:1;) alert tcp $HOME_NET any -> [31.171.152.105] 2888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202807; rev:1;) alert tcp $HOME_NET any -> [194.5.99.59] 8899 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202808; rev:1;) alert tcp $HOME_NET any -> [195.123.245.214] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202809; rev:1;) alert tcp $HOME_NET any -> [173.46.85.22] 5000 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202810; rev:1;) alert tcp $HOME_NET any -> [185.125.205.78] 8088 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202811; rev:1;) alert tcp $HOME_NET any -> [185.189.149.187] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202812; rev:1;) alert tcp $HOME_NET any -> [181.129.93.226] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202813; rev:1;) alert tcp $HOME_NET any -> [179.43.176.148] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202814; rev:1;) alert tcp $HOME_NET any -> [212.47.194.15] 8898 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202815; rev:1;) alert tcp $HOME_NET any -> [195.123.212.149] 4000 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202816; rev:1;) alert tcp $HOME_NET any -> [173.254.223.115] 3333 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202817; rev:1;) alert tcp $HOME_NET any -> [185.231.153.46] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202818; rev:1;) alert tcp $HOME_NET any -> [195.123.213.169] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202819; rev:1;) alert tcp $HOME_NET any -> [137.74.131.18] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202820; rev:1;) alert tcp $HOME_NET any -> [185.127.27.238] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202821; rev:1;) alert tcp $HOME_NET any -> [93.115.26.171] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202822; rev:1;) alert tcp $HOME_NET any -> [35.198.61.54] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202823; rev:1;) alert tcp $HOME_NET any -> [194.68.225.63] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202824; rev:1;) alert tcp $HOME_NET any -> [94.237.44.31] 2525 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202825; rev:1;) alert tcp $HOME_NET any -> [194.5.99.119] 2077 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202826; rev:1;) alert tcp $HOME_NET any -> [31.171.152.103] 7075 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202827; rev:1;) alert tcp $HOME_NET any -> [109.230.199.159] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202828; rev:1;) alert tcp $HOME_NET any -> [185.181.165.20] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202829; rev:1;) alert tcp $HOME_NET any -> [103.249.88.244] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202830; rev:1;) alert tcp $HOME_NET any -> [185.244.30.109] 5532 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202831; rev:1;) alert tcp $HOME_NET any -> [37.10.71.110] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202832; rev:1;) alert tcp $HOME_NET any -> [208.79.106.86] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202833; rev:1;) alert tcp $HOME_NET any -> [31.171.152.106] 1313 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202834; rev:1;) alert tcp $HOME_NET any -> [91.192.100.15] 7274 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202835; rev:1;) alert tcp $HOME_NET any -> [194.5.99.63] 2556 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202836; rev:1;) alert tcp $HOME_NET any -> [103.63.2.238] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202837; rev:1;) alert tcp $HOME_NET any -> [144.217.242.133] 10135 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202838; rev:1;) alert tcp $HOME_NET any -> [216.27.121.122] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202839; rev:1;) alert tcp $HOME_NET any -> [95.213.251.165] 1990 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202840; rev:1;) alert tcp $HOME_NET any -> [173.46.85.97] 7462 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202841; rev:1;) alert tcp $HOME_NET any -> [178.33.137.136] 65535 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202842; rev:1;) alert tcp $HOME_NET any -> [91.192.100.3] 3545 (msg:"SSLBL: Traffic to malicious host (likely NetWire C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202843; rev:1;) alert tcp $HOME_NET any -> [24.247.182.240] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202844; rev:1;) alert tcp $HOME_NET any -> [185.244.30.111] 7063 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202845; rev:1;) alert tcp $HOME_NET any -> [185.158.248.90] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202846; rev:1;) alert tcp $HOME_NET any -> [173.46.85.98] 2888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202847; rev:1;) alert tcp $HOME_NET any -> [104.18.34.162] 443 (msg:"SSLBL: Traffic to malicious host (likely Smoke Loader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202848; rev:1;) alert tcp $HOME_NET any -> [194.165.3.3] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202849; rev:1;) alert tcp $HOME_NET any -> [51.38.133.245] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202850; rev:1;) alert tcp $HOME_NET any -> [194.5.99.58] 1409 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202851; rev:1;) alert tcp $HOME_NET any -> [170.247.3.218] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202852; rev:1;) alert tcp $HOME_NET any -> [187.61.108.254] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202853; rev:1;) alert tcp $HOME_NET any -> [94.130.40.150] 5858 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202854; rev:1;) alert tcp $HOME_NET any -> [194.5.99.85] 5099 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202855; rev:1;) alert tcp $HOME_NET any -> [173.46.85.86] 4435 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202856; rev:1;) alert tcp $HOME_NET any -> [185.148.241.57] 2049 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202857; rev:1;) alert tcp $HOME_NET any -> [104.148.109.229] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202858; rev:1;) alert tcp $HOME_NET any -> [185.244.30.109] 5542 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202859; rev:1;) alert tcp $HOME_NET any -> [181.209.88.26] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202860; rev:1;) alert tcp $HOME_NET any -> [187.19.17.132] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202861; rev:1;) alert tcp $HOME_NET any -> [185.125.205.68] 1918 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202862; rev:1;) alert tcp $HOME_NET any -> [194.5.99.117] 6040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202863; rev:1;) alert tcp $HOME_NET any -> [205.237.44.244] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202864; rev:1;) alert tcp $HOME_NET any -> [181.215.247.224] 9620 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202865; rev:1;) alert tcp $HOME_NET any -> [208.73.200.123] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202866; rev:1;) alert tcp $HOME_NET any -> [170.79.176.242] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202867; rev:1;) alert tcp $HOME_NET any -> [193.37.213.27] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202868; rev:1;) alert tcp $HOME_NET any -> [186.147.161.204] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202869; rev:1;) alert tcp $HOME_NET any -> [186.167.66.51] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202870; rev:1;) alert tcp $HOME_NET any -> [194.76.224.11] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202871; rev:1;) alert tcp $HOME_NET any -> [54.180.98.118] 1081 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202872; rev:1;) alert tcp $HOME_NET any -> [45.225.65.178] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202873; rev:1;) alert tcp $HOME_NET any -> [58.84.34.214] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202874; rev:1;) alert tcp $HOME_NET any -> [213.32.93.218] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202875; rev:1;) alert tcp $HOME_NET any -> [103.1.184.108] 54984 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202876; rev:1;) alert tcp $HOME_NET any -> [193.56.28.161] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202877; rev:1;) alert tcp $HOME_NET any -> [31.171.152.106] 2522 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202878; rev:1;) alert tcp $HOME_NET any -> [94.237.28.110] 3737 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202879; rev:1;) alert tcp $HOME_NET any -> [176.119.158.39] 1604 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202880; rev:1;) alert tcp $HOME_NET any -> [23.231.4.19] 443 (msg:"SSLBL: Traffic to malicious host (likely Loki C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202881; rev:1;) alert tcp $HOME_NET any -> [185.158.249.138] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202882; rev:1;) alert tcp $HOME_NET any -> [94.156.189.60] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202883; rev:1;) alert tcp $HOME_NET any -> [185.158.251.13] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202884; rev:1;) alert tcp $HOME_NET any -> [200.116.76.159] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202885; rev:1;) alert tcp $HOME_NET any -> [205.201.36.227] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202886; rev:1;) alert tcp $HOME_NET any -> [125.209.82.158] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202887; rev:1;) alert tcp $HOME_NET any -> [95.168.176.160] 5525 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202888; rev:1;) alert tcp $HOME_NET any -> [76.107.90.235] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202889; rev:1;) alert tcp $HOME_NET any -> [94.156.144.197] 5525 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202890; rev:1;) alert tcp $HOME_NET any -> [185.189.149.144] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202891; rev:1;) alert tcp $HOME_NET any -> [51.75.162.41] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202892; rev:1;) alert tcp $HOME_NET any -> [147.135.165.107] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202893; rev:1;) alert tcp $HOME_NET any -> [72.226.102.151] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202894; rev:1;) alert tcp $HOME_NET any -> [47.44.54.70] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202895; rev:1;) alert tcp $HOME_NET any -> [110.164.69.92] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202896; rev:1;) alert tcp $HOME_NET any -> [201.251.18.28] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202897; rev:1;) alert tcp $HOME_NET any -> [185.189.149.252] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202898; rev:1;) alert tcp $HOME_NET any -> [202.63.242.48] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202899; rev:1;) alert tcp $HOME_NET any -> [98.226.192.30] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202900; rev:1;) alert tcp $HOME_NET any -> [173.46.85.168] 4545 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202901; rev:1;) alert tcp $HOME_NET any -> [96.9.90.104] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202902; rev:1;) alert tcp $HOME_NET any -> [47.224.98.123] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202903; rev:1;) alert tcp $HOME_NET any -> [185.148.241.61] 7219 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202904; rev:1;) alert tcp $HOME_NET any -> [185.244.30.124] 8074 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202905; rev:1;) alert tcp $HOME_NET any -> [66.64.20.194] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202906; rev:1;) alert tcp $HOME_NET any -> [73.115.58.90] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202907; rev:1;) alert tcp $HOME_NET any -> [103.235.176.174] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202908; rev:1;) alert tcp $HOME_NET any -> [173.46.85.197] 4040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202909; rev:1;) alert tcp $HOME_NET any -> [188.215.229.26] 3388 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202910; rev:1;) alert tcp $HOME_NET any -> [89.36.223.163] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202911; rev:1;) alert tcp $HOME_NET any -> [194.5.99.175] 2112 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202912; rev:1;) alert tcp $HOME_NET any -> [24.217.193.43] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202913; rev:1;) alert tcp $HOME_NET any -> [24.217.192.131] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202914; rev:1;) alert tcp $HOME_NET any -> [160.20.147.219] 1000 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202915; rev:1;) alert tcp $HOME_NET any -> [24.247.182.253] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202916; rev:1;) alert tcp $HOME_NET any -> [24.247.182.156] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202917; rev:1;) alert tcp $HOME_NET any -> [46.29.167.62] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202918; rev:1;) alert tcp $HOME_NET any -> [108.174.120.172] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202919; rev:1;) alert tcp $HOME_NET any -> [37.252.5.139] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202920; rev:1;) alert tcp $HOME_NET any -> [190.109.178.222] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202921; rev:1;) alert tcp $HOME_NET any -> [85.143.219.81] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202922; rev:1;) alert tcp $HOME_NET any -> [45.161.216.57] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202923; rev:1;) alert tcp $HOME_NET any -> [204.14.154.126] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202924; rev:1;) alert tcp $HOME_NET any -> [177.104.252.32] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202925; rev:1;) alert tcp $HOME_NET any -> [73.2.223.45] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202926; rev:1;) alert tcp $HOME_NET any -> [97.87.175.152] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202927; rev:1;) alert tcp $HOME_NET any -> [24.217.49.92] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202928; rev:1;) alert tcp $HOME_NET any -> [185.86.150.77] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202929; rev:1;) alert tcp $HOME_NET any -> [209.58.186.245] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202930; rev:1;) alert tcp $HOME_NET any -> [185.61.148.31] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202931; rev:1;) alert tcp $HOME_NET any -> [185.148.241.41] 7119 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202932; rev:1;) alert tcp $HOME_NET any -> [62.76.74.249] 13337 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202933; rev:1;) alert tcp $HOME_NET any -> [63.135.55.17] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202934; rev:1;) alert tcp $HOME_NET any -> [45.6.127.2] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202935; rev:1;) alert tcp $HOME_NET any -> [24.247.182.169] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202936; rev:1;) alert tcp $HOME_NET any -> [104.255.182.45] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202937; rev:1;) alert tcp $HOME_NET any -> [68.119.85.138] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202938; rev:1;) alert tcp $HOME_NET any -> [62.173.138.139] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202939; rev:1;) alert tcp $HOME_NET any -> [23.111.148.130] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202940; rev:1;) alert tcp $HOME_NET any -> [185.223.163.26] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202941; rev:1;) alert tcp $HOME_NET any -> [89.223.94.178] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202942; rev:1;) alert tcp $HOME_NET any -> [185.101.94.40] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202943; rev:1;) alert tcp $HOME_NET any -> [179.43.183.150] 3003 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202944; rev:1;) alert tcp $HOME_NET any -> [179.43.183.150] 3004 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202945; rev:1;) alert tcp $HOME_NET any -> [195.69.187.56] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202946; rev:1;) alert tcp $HOME_NET any -> [104.223.76.206] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202947; rev:1;) alert tcp $HOME_NET any -> [213.183.58.39] 8280 (msg:"SSLBL: Traffic to malicious host (likely Meterpreter C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202948; rev:1;) alert tcp $HOME_NET any -> [46.166.161.186] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202949; rev:1;) alert tcp $HOME_NET any -> [185.158.251.101] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202950; rev:1;) alert tcp $HOME_NET any -> [24.247.182.159] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202951; rev:1;) alert tcp $HOME_NET any -> [24.247.182.179] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202952; rev:1;) alert tcp $HOME_NET any -> [185.101.105.128] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202953; rev:1;) alert tcp $HOME_NET any -> [188.120.236.10] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202954; rev:1;) alert tcp $HOME_NET any -> [37.59.160.146] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202955; rev:1;) alert tcp $HOME_NET any -> [109.234.38.226] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202956; rev:1;) alert tcp $HOME_NET any -> [31.148.219.200] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202957; rev:1;) alert tcp $HOME_NET any -> [192.162.244.23] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202958; rev:1;) alert tcp $HOME_NET any -> [94.140.125.29] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202959; rev:1;) alert tcp $HOME_NET any -> [185.174.173.140] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202960; rev:1;) alert tcp $HOME_NET any -> [46.29.160.188] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202961; rev:1;) alert tcp $HOME_NET any -> [213.183.63.183] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202962; rev:1;) alert tcp $HOME_NET any -> [24.247.182.225] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202963; rev:1;) alert tcp $HOME_NET any -> [82.146.56.170] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202964; rev:1;) alert tcp $HOME_NET any -> [185.125.205.77] 7524 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202965; rev:1;) alert tcp $HOME_NET any -> [179.43.156.59] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202966; rev:1;) alert tcp $HOME_NET any -> [185.203.118.163] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202967; rev:1;) alert tcp $HOME_NET any -> [91.201.65.114] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202968; rev:1;) alert tcp $HOME_NET any -> [185.22.172.180] 5051 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202969; rev:1;) alert tcp $HOME_NET any -> [24.247.182.29] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202970; rev:1;) alert tcp $HOME_NET any -> [24.247.182.174] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202971; rev:1;) alert tcp $HOME_NET any -> [174.34.253.11] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202972; rev:1;) alert tcp $HOME_NET any -> [178.21.8.42] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202973; rev:1;) alert tcp $HOME_NET any -> [24.247.182.39] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202974; rev:1;) alert tcp $HOME_NET any -> [95.181.198.186] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202975; rev:1;) alert tcp $HOME_NET any -> [64.128.175.37] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202976; rev:1;) alert tcp $HOME_NET any -> [109.234.36.198] 1616 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202977; rev:1;) alert tcp $HOME_NET any -> [198.54.115.114] 443 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202978; rev:1;) alert tcp $HOME_NET any -> [185.86.149.175] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202979; rev:1;) alert tcp $HOME_NET any -> [144.202.23.191] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202980; rev:1;) alert tcp $HOME_NET any -> [144.202.23.191] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202981; rev:1;) alert tcp $HOME_NET any -> [35.202.16.252] 1336 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202982; rev:1;) alert tcp $HOME_NET any -> [185.197.75.161] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202983; rev:1;) alert tcp $HOME_NET any -> [24.247.182.7] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202984; rev:1;) alert tcp $HOME_NET any -> [184.106.153.73] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202985; rev:1;) alert tcp $HOME_NET any -> [94.140.125.119] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202986; rev:1;) alert tcp $HOME_NET any -> [188.120.243.46] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202987; rev:1;) alert tcp $HOME_NET any -> [194.5.250.162] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202988; rev:1;) alert tcp $HOME_NET any -> [185.86.150.220] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202989; rev:1;) alert tcp $HOME_NET any -> [74.132.135.120] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202990; rev:1;) alert tcp $HOME_NET any -> [185.65.202.12] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202991; rev:1;) alert tcp $HOME_NET any -> [213.183.51.208] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202992; rev:1;) alert tcp $HOME_NET any -> [198.61.196.18] 1801 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202993; rev:1;) alert tcp $HOME_NET any -> [37.60.177.67] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202994; rev:1;) alert tcp $HOME_NET any -> [193.37.212.4] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202995; rev:1;) alert tcp $HOME_NET any -> [85.217.170.186] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex malware distribution traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202996; rev:1;) alert tcp $HOME_NET any -> [37.187.61.1] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202997; rev:1;) alert tcp $HOME_NET any -> [62.210.248.53] 1337 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202998; rev:1;) alert tcp $HOME_NET any -> [92.63.197.150] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202999; rev:1;) alert tcp $HOME_NET any -> [83.166.242.16] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203000; rev:1;) alert tcp $HOME_NET any -> [185.148.241.50] 9030 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203001; rev:1;) alert tcp $HOME_NET any -> [97.87.172.0] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203002; rev:1;) alert tcp $HOME_NET any -> [185.25.50.204] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203003; rev:1;) alert tcp $HOME_NET any -> [81.176.239.195] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203004; rev:1;) alert tcp $HOME_NET any -> [75.108.123.165] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203005; rev:1;) alert tcp $HOME_NET any -> [185.158.251.55] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203006; rev:1;) alert tcp $HOME_NET any -> [172.106.33.46] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203007; rev:1;) alert tcp $HOME_NET any -> [185.244.150.230] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203008; rev:1;) alert tcp $HOME_NET any -> [72.241.62.188] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203009; rev:1;) alert tcp $HOME_NET any -> [192.48.88.22] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203010; rev:1;) alert tcp $HOME_NET any -> [176.10.118.144] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203011; rev:1;) alert tcp $HOME_NET any -> [95.181.198.136] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203012; rev:1;) alert tcp $HOME_NET any -> [185.238.136.67] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203013; rev:1;) alert tcp $HOME_NET any -> [109.230.199.169] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203014; rev:1;) alert tcp $HOME_NET any -> [95.181.198.233] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203015; rev:1;) alert tcp $HOME_NET any -> [146.0.72.183] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203016; rev:1;) alert tcp $HOME_NET any -> [185.246.155.68] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203017; rev:1;) alert tcp $HOME_NET any -> [95.181.198.34] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203018; rev:1;) alert tcp $HOME_NET any -> [37.252.9.68] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203019; rev:1;) alert tcp $HOME_NET any -> [178.162.132.76] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203020; rev:1;) alert tcp $HOME_NET any -> [83.166.240.191] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203021; rev:1;) alert tcp $HOME_NET any -> [47.74.242.150] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203022; rev:1;) alert tcp $HOME_NET any -> [3.16.149.119] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203023; rev:1;) alert tcp $HOME_NET any -> [185.203.118.214] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203024; rev:1;) alert tcp $HOME_NET any -> [77.222.63.66] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203025; rev:1;) alert tcp $HOME_NET any -> [185.129.49.19] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203026; rev:1;) alert tcp $HOME_NET any -> [83.166.247.211] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203027; rev:1;) alert tcp $HOME_NET any -> [185.66.9.143] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203028; rev:1;) alert tcp $HOME_NET any -> [199.227.126.250] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203029; rev:1;) alert tcp $HOME_NET any -> [24.113.161.184] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203030; rev:1;) alert tcp $HOME_NET any -> [185.158.251.119] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203031; rev:1;) alert tcp $HOME_NET any -> [37.252.4.107] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203032; rev:1;) alert tcp $HOME_NET any -> [176.32.32.6] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203033; rev:1;) alert tcp $HOME_NET any -> [172.222.97.179] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203034; rev:1;) alert tcp $HOME_NET any -> [46.17.47.4] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203035; rev:1;) alert tcp $HOME_NET any -> [72.189.124.41] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203036; rev:1;) alert tcp $HOME_NET any -> [24.247.181.226] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203037; rev:1;) alert tcp $HOME_NET any -> [185.159.129.100] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203038; rev:1;) alert tcp $HOME_NET any -> [185.158.249.174] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203039; rev:1;) alert tcp $HOME_NET any -> [174.105.235.178] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203040; rev:1;) alert tcp $HOME_NET any -> [95.213.144.203] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203041; rev:1;) alert tcp $HOME_NET any -> [185.244.30.108] 2216 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203042; rev:1;) alert tcp $HOME_NET any -> [94.140.125.158] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203043; rev:1;) alert tcp $HOME_NET any -> [24.247.181.155] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203044; rev:1;) alert tcp $HOME_NET any -> [85.204.74.146] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203045; rev:1;) alert tcp $HOME_NET any -> [24.227.222.4] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203046; rev:1;) alert tcp $HOME_NET any -> [75.102.135.23] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203047; rev:1;) alert tcp $HOME_NET any -> [185.231.246.107] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203048; rev:1;) alert tcp $HOME_NET any -> [51.38.146.101] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203049; rev:1;) alert tcp $HOME_NET any -> [51.38.146.101] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203050; rev:1;) alert tcp $HOME_NET any -> [46.229.214.92] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203051; rev:1;) alert tcp $HOME_NET any -> [74.134.5.113] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203052; rev:1;) alert tcp $HOME_NET any -> [91.230.60.116] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203053; rev:1;) alert tcp $HOME_NET any -> [95.181.198.115] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203054; rev:1;) alert tcp $HOME_NET any -> [111.90.144.65] 443 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203055; rev:1;) alert tcp $HOME_NET any -> [109.230.199.30] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203056; rev:1;) alert tcp $HOME_NET any -> [95.181.198.116] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203057; rev:1;) alert tcp $HOME_NET any -> [95.181.198.72] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203058; rev:1;) alert tcp $HOME_NET any -> [66.60.121.58] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203059; rev:1;) alert tcp $HOME_NET any -> [178.162.132.90] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203060; rev:1;) alert tcp $HOME_NET any -> [74.140.160.33] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203061; rev:1;) alert tcp $HOME_NET any -> [65.31.241.133] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203062; rev:1;) alert tcp $HOME_NET any -> [206.130.141.255] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203063; rev:1;) alert tcp $HOME_NET any -> [145.239.140.188] 60 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203064; rev:1;) alert tcp $HOME_NET any -> [192.162.244.170] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203065; rev:1;) alert tcp $HOME_NET any -> [24.119.69.70] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203066; rev:1;) alert tcp $HOME_NET any -> [92.223.105.10] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203067; rev:1;) alert tcp $HOME_NET any -> [188.227.18.135] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203068; rev:1;) alert tcp $HOME_NET any -> [185.183.96.145] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203069; rev:1;) alert tcp $HOME_NET any -> [76.181.182.166] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203070; rev:1;) alert tcp $HOME_NET any -> [174.105.233.82] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203071; rev:1;) alert tcp $HOME_NET any -> [54.39.218.118] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203072; rev:1;) alert tcp $HOME_NET any -> [185.125.205.73] 1818 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203073; rev:1;) alert tcp $HOME_NET any -> [54.39.218.127] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203074; rev:1;) alert tcp $HOME_NET any -> [192.48.88.172] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203075; rev:1;) alert tcp $HOME_NET any -> [192.48.88.118] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203076; rev:1;) alert tcp $HOME_NET any -> [144.217.37.230] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203077; rev:1;) alert tcp $HOME_NET any -> [66.70.205.140] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203078; rev:1;) alert tcp $HOME_NET any -> [205.157.150.98] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203079; rev:1;) alert tcp $HOME_NET any -> [207.140.14.141] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203080; rev:1;) alert tcp $HOME_NET any -> [71.193.151.218] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203081; rev:1;) alert tcp $HOME_NET any -> [73.67.78.5] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203082; rev:1;) alert tcp $HOME_NET any -> [67.49.38.139] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203083; rev:1;) alert tcp $HOME_NET any -> [47.254.153.36] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203084; rev:1;) alert tcp $HOME_NET any -> [68.4.173.10] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203085; rev:1;) alert tcp $HOME_NET any -> [140.190.54.187] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203086; rev:1;) alert tcp $HOME_NET any -> [54.39.81.120] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203087; rev:1;) alert tcp $HOME_NET any -> [194.147.35.87] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203088; rev:1;) alert tcp $HOME_NET any -> [178.162.132.83] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203089; rev:1;) alert tcp $HOME_NET any -> [185.121.166.26] 8057 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203090; rev:1;) alert tcp $HOME_NET any -> [185.127.27.96] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203091; rev:1;) alert tcp $HOME_NET any -> [83.217.10.56] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203092; rev:1;) alert tcp $HOME_NET any -> [185.48.57.117] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203093; rev:1;) alert tcp $HOME_NET any -> [81.177.135.191] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203094; rev:1;) alert tcp $HOME_NET any -> [54.39.81.123] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203095; rev:1;) alert tcp $HOME_NET any -> [185.86.151.152] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203096; rev:1;) alert tcp $HOME_NET any -> [193.183.98.122] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203097; rev:1;) alert tcp $HOME_NET any -> [185.144.29.92] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203098; rev:1;) alert tcp $HOME_NET any -> [85.143.220.184] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203099; rev:1;) alert tcp $HOME_NET any -> [68.3.14.71] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203100; rev:1;) alert tcp $HOME_NET any -> [69.57.26.30] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203101; rev:1;) alert tcp $HOME_NET any -> [185.117.72.67] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203102; rev:1;) alert tcp $HOME_NET any -> [95.215.44.192] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203103; rev:1;) alert tcp $HOME_NET any -> [54.39.74.123] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203104; rev:1;) alert tcp $HOME_NET any -> [185.45.193.157] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203105; rev:1;) alert tcp $HOME_NET any -> [95.181.179.66] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203106; rev:1;) alert tcp $HOME_NET any -> [91.192.100.20] 2556 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203107; rev:1;) alert tcp $HOME_NET any -> [190.181.235.50] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203108; rev:1;) alert tcp $HOME_NET any -> [80.87.193.7] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203109; rev:1;) alert tcp $HOME_NET any -> [185.94.96.226] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203110; rev:1;) alert tcp $HOME_NET any -> [94.140.125.232] 8443 (msg:"SSLBL: Traffic to malicious host (likely CoinMiner C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203111; rev:1;) alert tcp $HOME_NET any -> [192.42.119.41] 443 (msg:"SSLBL: Traffic to malicious host (likely Sinkhole traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203112; rev:1;) alert tcp $HOME_NET any -> [185.92.74.67] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203113; rev:1;) alert tcp $HOME_NET any -> [95.179.144.131] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203114; rev:1;) alert tcp $HOME_NET any -> [46.29.164.171] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203115; rev:1;) alert tcp $HOME_NET any -> [46.36.220.116] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203116; rev:1;) alert tcp $HOME_NET any -> [185.68.93.59] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203117; rev:1;) alert tcp $HOME_NET any -> [31.214.157.60] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203118; rev:1;) alert tcp $HOME_NET any -> [98.177.188.224] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203119; rev:1;) alert tcp $HOME_NET any -> [46.148.26.86] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203120; rev:1;) alert tcp $HOME_NET any -> [185.22.154.66] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203121; rev:1;) alert tcp $HOME_NET any -> [198.46.207.107] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203122; rev:1;) alert tcp $HOME_NET any -> [104.236.212.82] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203123; rev:1;) alert tcp $HOME_NET any -> [185.77.129.125] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203124; rev:1;) alert tcp $HOME_NET any -> [68.45.243.125] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203125; rev:1;) alert tcp $HOME_NET any -> [71.94.101.25] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203126; rev:1;) alert tcp $HOME_NET any -> [92.38.130.63] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203127; rev:1;) alert tcp $HOME_NET any -> [110.232.86.52] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203128; rev:1;) alert tcp $HOME_NET any -> [51.68.184.101] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203129; rev:1;) alert tcp $HOME_NET any -> [136.243.189.204] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203130; rev:1;) alert tcp $HOME_NET any -> [185.251.38.178] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203131; rev:1;) alert tcp $HOME_NET any -> [37.235.251.150] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203132; rev:1;) alert tcp $HOME_NET any -> [95.181.179.80] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203133; rev:1;) alert tcp $HOME_NET any -> [5.2.67.212] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203134; rev:1;) alert tcp $HOME_NET any -> [93.189.43.230] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203135; rev:1;) alert tcp $HOME_NET any -> [185.17.123.248] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203136; rev:1;) alert tcp $HOME_NET any -> [54.39.175.179] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203137; rev:1;) alert tcp $HOME_NET any -> [186.47.103.226] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203138; rev:1;) alert tcp $HOME_NET any -> [107.175.127.147] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203139; rev:1;) alert tcp $HOME_NET any -> [185.189.132.134] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203140; rev:1;) alert tcp $HOME_NET any -> [185.231.154.40] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203141; rev:1;) alert tcp $HOME_NET any -> [185.94.99.7] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203142; rev:1;) alert tcp $HOME_NET any -> [54.39.124.202] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203143; rev:1;) alert tcp $HOME_NET any -> [46.105.131.72] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203144; rev:1;) alert tcp $HOME_NET any -> [46.29.160.120] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203145; rev:1;) alert tcp $HOME_NET any -> [93.170.105.33] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203146; rev:1;) alert tcp $HOME_NET any -> [5.104.41.188] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203147; rev:1;) alert tcp $HOME_NET any -> [202.137.121.14] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203148; rev:1;) alert tcp $HOME_NET any -> [185.251.39.118] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203149; rev:1;) alert tcp $HOME_NET any -> [185.161.211.79] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203150; rev:1;) alert tcp $HOME_NET any -> [31.31.161.165] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203151; rev:1;) alert tcp $HOME_NET any -> [54.39.167.242] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203152; rev:1;) alert tcp $HOME_NET any -> [54.39.167.242] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203153; rev:1;) alert tcp $HOME_NET any -> [46.29.165.207] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203154; rev:1;) alert tcp $HOME_NET any -> [185.246.153.252] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203155; rev:1;) alert tcp $HOME_NET any -> [185.221.153.27] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203156; rev:1;) alert tcp $HOME_NET any -> [212.23.70.149] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203157; rev:1;) alert tcp $HOME_NET any -> [87.121.98.37] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203158; rev:1;) alert tcp $HOME_NET any -> [190.145.74.84] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203159; rev:1;) alert tcp $HOME_NET any -> [31.179.162.86] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203160; rev:1;) alert tcp $HOME_NET any -> [167.114.13.91] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203161; rev:1;) alert tcp $HOME_NET any -> [179.127.254.196] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203162; rev:1;) alert tcp $HOME_NET any -> [193.187.91.238] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203163; rev:1;) alert tcp $HOME_NET any -> [187.190.249.230] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203164; rev:1;) alert tcp $HOME_NET any -> [71.13.140.89] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203165; rev:1;) alert tcp $HOME_NET any -> [169.1.39.89] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203166; rev:1;) alert tcp $HOME_NET any -> [142.44.207.84] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203167; rev:1;) alert tcp $HOME_NET any -> [173.239.128.74] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203168; rev:1;) alert tcp $HOME_NET any -> [105.27.171.234] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203169; rev:1;) alert tcp $HOME_NET any -> [91.235.136.114] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203170; rev:1;) alert tcp $HOME_NET any -> [185.86.150.214] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203171; rev:1;) alert tcp $HOME_NET any -> [42.115.91.177] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203172; rev:1;) alert tcp $HOME_NET any -> [185.66.227.183] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203173; rev:1;) alert tcp $HOME_NET any -> [181.113.17.230] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203174; rev:1;) alert tcp $HOME_NET any -> [198.100.157.163] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203175; rev:1;) alert tcp $HOME_NET any -> [91.192.100.15] 1988 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203176; rev:1;) alert tcp $HOME_NET any -> [115.78.3.170] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203177; rev:1;) alert tcp $HOME_NET any -> [103.110.91.118] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203178; rev:1;) alert tcp $HOME_NET any -> [193.187.91.243] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203179; rev:1;) alert tcp $HOME_NET any -> [170.81.32.66] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203180; rev:1;) alert tcp $HOME_NET any -> [217.147.170.72] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203181; rev:1;) alert tcp $HOME_NET any -> [70.48.101.54] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203182; rev:1;) alert tcp $HOME_NET any -> [103.10.145.197] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203183; rev:1;) alert tcp $HOME_NET any -> [23.226.138.169] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203184; rev:1;) alert tcp $HOME_NET any -> [185.205.209.27] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203185; rev:1;) alert tcp $HOME_NET any -> [185.173.94.186] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203186; rev:1;) alert tcp $HOME_NET any -> [185.154.21.160] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203187; rev:1;) alert tcp $HOME_NET any -> [81.19.210.19] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203188; rev:1;) alert tcp $HOME_NET any -> [185.147.237.35] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203189; rev:1;) alert tcp $HOME_NET any -> [185.77.129.136] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203190; rev:1;) alert tcp $HOME_NET any -> [128.201.92.41] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203191; rev:1;) alert tcp $HOME_NET any -> [81.0.118.50] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203192; rev:1;) alert tcp $HOME_NET any -> [185.63.190.149] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203193; rev:1;) alert tcp $HOME_NET any -> [192.48.88.92] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203194; rev:1;) alert tcp $HOME_NET any -> [66.229.97.133] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203195; rev:1;) alert tcp $HOME_NET any -> [185.62.189.148] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203196; rev:1;) alert tcp $HOME_NET any -> [182.50.64.148] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203197; rev:1;) alert tcp $HOME_NET any -> [223.25.64.119] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203198; rev:1;) alert tcp $HOME_NET any -> [93.189.46.215] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203199; rev:1;) alert tcp $HOME_NET any -> [145.249.107.72] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203200; rev:1;) alert tcp $HOME_NET any -> [92.38.132.51] 80 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203201; rev:1;) alert tcp $HOME_NET any -> [92.38.132.51] 443 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203202; rev:1;) alert tcp $HOME_NET any -> [82.222.40.119] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203203; rev:1;) alert tcp $HOME_NET any -> [192.252.209.44] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203204; rev:1;) alert tcp $HOME_NET any -> [116.212.152.12] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203205; rev:1;) alert tcp $HOME_NET any -> [144.121.143.129] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203206; rev:1;) alert tcp $HOME_NET any -> [192.188.120.164] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203207; rev:1;) alert tcp $HOME_NET any -> [97.78.222.18] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203208; rev:1;) alert tcp $HOME_NET any -> [47.74.44.209] 443 (msg:"SSLBL: Traffic to malicious host (likely Smoke Loader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203209; rev:1;) alert tcp $HOME_NET any -> [118.97.119.218] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203210; rev:1;) alert tcp $HOME_NET any -> [185.42.52.126] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203211; rev:1;) alert tcp $HOME_NET any -> [94.232.20.113] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203212; rev:1;) alert tcp $HOME_NET any -> [95.154.80.154] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203213; rev:1;) alert tcp $HOME_NET any -> [185.200.60.138] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203214; rev:1;) alert tcp $HOME_NET any -> [197.232.243.36] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203215; rev:1;) alert tcp $HOME_NET any -> [94.181.47.198] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203216; rev:1;) alert tcp $HOME_NET any -> [103.111.53.126] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203217; rev:1;) alert tcp $HOME_NET any -> [89.223.94.240] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203218; rev:1;) alert tcp $HOME_NET any -> [23.94.41.215] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203219; rev:1;) alert tcp $HOME_NET any -> [103.111.55.218] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203220; rev:1;) alert tcp $HOME_NET any -> [181.174.112.74] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203221; rev:1;) alert tcp $HOME_NET any -> [46.149.182.112] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203222; rev:1;) alert tcp $HOME_NET any -> [140.82.24.184] 443 (msg:"SSLBL: Traffic to malicious host (likely Neutrino C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203223; rev:1;) alert tcp $HOME_NET any -> [182.253.20.66] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203224; rev:1;) alert tcp $HOME_NET any -> [67.79.15.106] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203225; rev:1;) alert tcp $HOME_NET any -> [121.58.242.206] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203226; rev:1;) alert tcp $HOME_NET any -> [62.141.94.107] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203227; rev:1;) alert tcp $HOME_NET any -> [77.222.55.7] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203228; rev:1;) alert tcp $HOME_NET any -> [104.254.10.200] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203229; rev:1;) alert tcp $HOME_NET any -> [91.201.65.107] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203230; rev:1;) alert tcp $HOME_NET any -> [81.17.86.112] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203231; rev:1;) alert tcp $HOME_NET any -> [109.173.104.236] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203232; rev:1;) alert tcp $HOME_NET any -> [31.220.45.151] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203233; rev:1;) alert tcp $HOME_NET any -> [185.45.193.111] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203234; rev:1;) alert tcp $HOME_NET any -> [172.245.210.10] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203235; rev:1;) alert tcp $HOME_NET any -> [172.245.210.10] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203236; rev:1;) alert tcp $HOME_NET any -> [185.214.10.163] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203237; rev:1;) alert tcp $HOME_NET any -> [197.232.50.85] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203238; rev:1;) alert tcp $HOME_NET any -> [92.38.132.118] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203239; rev:1;) alert tcp $HOME_NET any -> [93.189.41.44] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203240; rev:1;) alert tcp $HOME_NET any -> [185.159.82.131] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203241; rev:1;) alert tcp $HOME_NET any -> [185.231.153.228] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203242; rev:1;) alert tcp $HOME_NET any -> [185.61.138.181] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203243; rev:1;) alert tcp $HOME_NET any -> [91.217.90.133] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203244; rev:1;) alert tcp $HOME_NET any -> [195.254.227.201] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203245; rev:1;) alert tcp $HOME_NET any -> [178.116.83.49] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203246; rev:1;) alert tcp $HOME_NET any -> [111.220.125.141] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203247; rev:1;) alert tcp $HOME_NET any -> [88.87.231.162] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203248; rev:1;) alert tcp $HOME_NET any -> [93.189.41.7] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203249; rev:1;) alert tcp $HOME_NET any -> [195.123.216.145] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203250; rev:1;) alert tcp $HOME_NET any -> [185.212.131.19] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203251; rev:1;) alert tcp $HOME_NET any -> [178.132.7.104] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203252; rev:1;) alert tcp $HOME_NET any -> [185.15.208.110] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203253; rev:1;) alert tcp $HOME_NET any -> [5.135.252.103] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203254; rev:1;) alert tcp $HOME_NET any -> [47.49.168.50] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203255; rev:1;) alert tcp $HOME_NET any -> [41.211.9.234] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203256; rev:1;) alert tcp $HOME_NET any -> [176.10.170.65] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203257; rev:1;) alert tcp $HOME_NET any -> [51.68.188.128] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203258; rev:1;) alert tcp $HOME_NET any -> [185.75.90.192] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203259; rev:1;) alert tcp $HOME_NET any -> [68.169.161.5] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203260; rev:1;) alert tcp $HOME_NET any -> [96.43.40.221] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203261; rev:1;) alert tcp $HOME_NET any -> [47.254.192.42] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203262; rev:1;) alert tcp $HOME_NET any -> [94.142.138.211] 443 (msg:"SSLBL: Traffic to malicious host (likely AgentTesla C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203263; rev:1;) alert tcp $HOME_NET any -> [36.67.215.93] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203264; rev:1;) alert tcp $HOME_NET any -> [95.142.40.16] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203265; rev:1;) alert tcp $HOME_NET any -> [212.225.214.249] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203266; rev:1;) alert tcp $HOME_NET any -> [180.241.112.37] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203267; rev:1;) alert tcp $HOME_NET any -> [185.228.233.168] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203268; rev:1;) alert tcp $HOME_NET any -> [185.62.188.207] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203269; rev:1;) alert tcp $HOME_NET any -> [143.202.145.43] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203270; rev:1;) alert tcp $HOME_NET any -> [5.188.52.204] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203271; rev:1;) alert tcp $HOME_NET any -> [93.170.123.68] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203272; rev:1;) alert tcp $HOME_NET any -> [91.192.100.52] 6654 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203273; rev:1;) alert tcp $HOME_NET any -> [185.163.100.30] 8789 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203274; rev:1;) alert tcp $HOME_NET any -> [24.231.0.139] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203275; rev:1;) alert tcp $HOME_NET any -> [149.129.223.136] 443 (msg:"SSLBL: Traffic to malicious host (likely Godzilla C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203276; rev:1;) alert tcp $HOME_NET any -> [192.42.116.41] 443 (msg:"SSLBL: Traffic to malicious host (likely Sinkhole traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203277; rev:1;) alert tcp $HOME_NET any -> [84.237.228.13] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203278; rev:1;) alert tcp $HOME_NET any -> [85.9.212.117] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203279; rev:1;) alert tcp $HOME_NET any -> [198.53.63.120] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203280; rev:1;) alert tcp $HOME_NET any -> [185.121.166.77] 8057 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203281; rev:1;) alert tcp $HOME_NET any -> [185.60.133.246] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203282; rev:1;) alert tcp $HOME_NET any -> [68.109.83.22] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203283; rev:1;) alert tcp $HOME_NET any -> [87.117.146.63] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203284; rev:1;) alert tcp $HOME_NET any -> [92.38.135.168] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203285; rev:1;) alert tcp $HOME_NET any -> [83.167.164.81] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203286; rev:1;) alert tcp $HOME_NET any -> [91.214.119.37] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203287; rev:1;) alert tcp $HOME_NET any -> [149.129.129.193] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203288; rev:1;) alert tcp $HOME_NET any -> [185.148.241.52] 7219 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203289; rev:1;) alert tcp $HOME_NET any -> [185.148.241.56] 8511 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203290; rev:1;) alert tcp $HOME_NET any -> [185.121.166.106] 2112 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203291; rev:1;) alert tcp $HOME_NET any -> [185.67.0.108] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203292; rev:1;) alert tcp $HOME_NET any -> [118.200.151.113] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203293; rev:1;) alert tcp $HOME_NET any -> [184.68.167.42] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203294; rev:1;) alert tcp $HOME_NET any -> [96.31.109.51] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203295; rev:1;) alert tcp $HOME_NET any -> [185.206.146.75] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203296; rev:1;) alert tcp $HOME_NET any -> [185.125.205.69] 3030 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203297; rev:1;) alert tcp $HOME_NET any -> [82.202.166.170] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203298; rev:1;) alert tcp $HOME_NET any -> [185.148.241.38] 1555 (msg:"SSLBL: Traffic to malicious host (likely JBifrost C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203299; rev:1;) alert tcp $HOME_NET any -> [185.227.83.50] 2087 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203300; rev:1;) alert tcp $HOME_NET any -> [178.209.42.109] 4299 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203301; rev:1;) alert tcp $HOME_NET any -> [185.227.83.35] 2808 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203302; rev:1;) alert tcp $HOME_NET any -> [198.12.90.76] 1989 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203303; rev:1;) alert tcp $HOME_NET any -> [185.141.61.111] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203304; rev:1;) alert tcp $HOME_NET any -> [185.128.24.20] 2679 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203305; rev:1;) alert tcp $HOME_NET any -> [185.174.172.132] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203306; rev:1;) alert tcp $HOME_NET any -> [185.16.41.172] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203307; rev:1;) alert tcp $HOME_NET any -> [185.159.80.106] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203308; rev:1;) alert tcp $HOME_NET any -> [5.188.228.47] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203309; rev:1;) alert tcp $HOME_NET any -> [5.188.228.47] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203310; rev:1;) alert tcp $HOME_NET any -> [213.152.161.234] 15086 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203311; rev:1;) alert tcp $HOME_NET any -> [185.125.205.72] 20 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203312; rev:1;) alert tcp $HOME_NET any -> [70.79.178.120] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203313; rev:1;) alert tcp $HOME_NET any -> [185.148.241.59] 2888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203314; rev:1;) alert tcp $HOME_NET any -> [62.113.238.144] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203315; rev:1;) alert tcp $HOME_NET any -> [185.208.211.109] 2097 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203316; rev:1;) alert tcp $HOME_NET any -> [185.227.83.39] 1373 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203317; rev:1;) alert tcp $HOME_NET any -> [185.208.211.112] 20901 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203318; rev:1;) alert tcp $HOME_NET any -> [91.192.100.3] 1153 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203319; rev:1;) alert tcp $HOME_NET any -> [185.4.29.236] 8057 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203320; rev:1;) alert tcp $HOME_NET any -> [185.148.241.37] 4041 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203321; rev:1;) alert tcp $HOME_NET any -> [110.10.176.124] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203322; rev:1;) alert tcp $HOME_NET any -> [181.215.247.69] 8181 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203323; rev:1;) alert tcp $HOME_NET any -> [185.135.83.35] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203324; rev:1;) alert tcp $HOME_NET any -> [185.208.211.132] 6654 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203325; rev:1;) alert tcp $HOME_NET any -> [212.83.61.213] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203326; rev:1;) alert tcp $HOME_NET any -> [185.208.211.103] 2888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203327; rev:1;) alert tcp $HOME_NET any -> [208.78.58.170] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203328; rev:1;) alert tcp $HOME_NET any -> [178.78.202.189] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203329; rev:1;) alert tcp $HOME_NET any -> [185.227.83.35] 1986 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203330; rev:1;) alert tcp $HOME_NET any -> [185.224.249.29] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203331; rev:1;) alert tcp $HOME_NET any -> [118.91.178.101] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203332; rev:1;) alert tcp $HOME_NET any -> [185.125.205.87] 7600 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203333; rev:1;) alert tcp $HOME_NET any -> [185.125.205.70] 4455 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203334; rev:1;) alert tcp $HOME_NET any -> [89.117.107.13] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203335; rev:1;) alert tcp $HOME_NET any -> [185.227.83.41] 7720 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203336; rev:1;) alert tcp $HOME_NET any -> [194.68.23.182] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203337; rev:1;) alert tcp $HOME_NET any -> [185.129.193.221] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203338; rev:1;) alert tcp $HOME_NET any -> [185.208.211.73] 33524 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203339; rev:1;) alert tcp $HOME_NET any -> [201.174.70.238] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203340; rev:1;) alert tcp $HOME_NET any -> [90.69.224.122] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203341; rev:1;) alert tcp $HOME_NET any -> [89.105.194.234] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203342; rev:1;) alert tcp $HOME_NET any -> [185.209.85.73] 8088 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203343; rev:1;) alert tcp $HOME_NET any -> [185.208.211.19] 4045 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203344; rev:1;) alert tcp $HOME_NET any -> [95.181.179.31] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203345; rev:1;) alert tcp $HOME_NET any -> [185.148.241.56] 5888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203346; rev:1;) alert tcp $HOME_NET any -> [185.208.211.51] 1990 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203347; rev:1;) alert tcp $HOME_NET any -> [45.56.2.247] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203348; rev:1;) alert tcp $HOME_NET any -> [185.148.145.197] 2672 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203349; rev:1;) alert tcp $HOME_NET any -> [91.192.100.27] 1373 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203350; rev:1;) alert tcp $HOME_NET any -> [181.215.247.173] 8890 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203351; rev:1;) alert tcp $HOME_NET any -> [181.215.247.215] 6420 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203352; rev:1;) alert tcp $HOME_NET any -> [185.227.83.35] 3885 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203353; rev:1;) alert tcp $HOME_NET any -> [185.125.205.79] 8970 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203354; rev:1;) alert tcp $HOME_NET any -> [213.252.247.235] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203355; rev:1;) alert tcp $HOME_NET any -> [73.107.42.28] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203356; rev:1;) alert tcp $HOME_NET any -> [185.227.83.49] 7119 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203357; rev:1;) alert tcp $HOME_NET any -> [185.148.241.49] 9555 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203358; rev:1;) alert tcp $HOME_NET any -> [185.227.83.44] 5888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203359; rev:1;) alert tcp $HOME_NET any -> [185.227.83.36] 7748 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203360; rev:1;) alert tcp $HOME_NET any -> [185.125.205.86] 8088 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203361; rev:1;) alert tcp $HOME_NET any -> [5.188.232.238] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203362; rev:1;) alert tcp $HOME_NET any -> [185.227.83.45] 5007 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203363; rev:1;) alert tcp $HOME_NET any -> [47.40.90.210] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203364; rev:1;) alert tcp $HOME_NET any -> [67.159.157.150] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203365; rev:1;) alert tcp $HOME_NET any -> [146.255.79.176] 1177 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203366; rev:1;) alert tcp $HOME_NET any -> [151.106.30.239] 1989 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203367; rev:1;) alert tcp $HOME_NET any -> [91.192.100.4] 1918 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203368; rev:1;) alert tcp $HOME_NET any -> [91.192.100.22] 8420 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203369; rev:1;) alert tcp $HOME_NET any -> [187.163.215.32] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203370; rev:1;) alert tcp $HOME_NET any -> [91.227.16.125] 443 (msg:"SSLBL: Traffic to malicious host (likely PlugX C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203371; rev:1;) alert tcp $HOME_NET any -> [185.208.211.208] 7734 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203372; rev:1;) alert tcp $HOME_NET any -> [138.34.32.74] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203373; rev:1;) alert tcp $HOME_NET any -> [91.192.100.9] 1153 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203374; rev:1;) alert tcp $HOME_NET any -> [45.32.235.225] 1983 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203375; rev:1;) alert tcp $HOME_NET any -> [185.148.241.39] 5786 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203376; rev:1;) alert tcp $HOME_NET any -> [185.208.211.42] 8088 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203377; rev:1;) alert tcp $HOME_NET any -> [181.215.247.211] 8890 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203378; rev:1;) alert tcp $HOME_NET any -> [185.208.211.12] 2097 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203379; rev:1;) alert tcp $HOME_NET any -> [181.215.247.33] 2343 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203380; rev:1;) alert tcp $HOME_NET any -> [185.209.85.188] 665 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203381; rev:1;) alert tcp $HOME_NET any -> [185.209.85.75] 2889 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203382; rev:1;) alert tcp $HOME_NET any -> [185.148.241.43] 8890 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203383; rev:1;) alert tcp $HOME_NET any -> [185.208.211.139] 4040 (msg:"SSLBL: Traffic to malicious host (likely JBifrost C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203384; rev:1;) alert tcp $HOME_NET any -> [185.115.32.166] 2000 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203385; rev:1;) alert tcp $HOME_NET any -> [200.2.126.98] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203386; rev:1;) alert tcp $HOME_NET any -> [185.209.85.68] 2442 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203387; rev:1;) alert tcp $HOME_NET any -> [185.209.85.182] 2222 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203388; rev:1;) alert tcp $HOME_NET any -> [91.192.100.16] 2888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203389; rev:1;) alert tcp $HOME_NET any -> [185.209.85.183] 90 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203390; rev:1;) alert tcp $HOME_NET any -> [62.31.150.202] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203391; rev:1;) alert tcp $HOME_NET any -> [86.61.177.139] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203392; rev:1;) alert tcp $HOME_NET any -> [213.183.59.130] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203393; rev:1;) alert tcp $HOME_NET any -> [181.174.165.162] 443 (msg:"SSLBL: Traffic to malicious host (likely Neutrino C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203394; rev:1;) alert tcp $HOME_NET any -> [144.76.237.29] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203395; rev:1;) alert tcp $HOME_NET any -> [185.148.241.58] 5050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203396; rev:1;) alert tcp $HOME_NET any -> [185.209.85.67] 6969 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203397; rev:1;) alert tcp $HOME_NET any -> [138.34.32.218] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203398; rev:1;) alert tcp $HOME_NET any -> [41.211.9.226] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203399; rev:1;) alert tcp $HOME_NET any -> [185.208.211.137] 4546 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203400; rev:1;) alert tcp $HOME_NET any -> [185.209.85.75] 7219 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203401; rev:1;) alert tcp $HOME_NET any -> [36.74.100.211] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203402; rev:1;) alert tcp $HOME_NET any -> [185.208.211.202] 2222 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203403; rev:1;) alert tcp $HOME_NET any -> [185.209.85.65] 7177 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203404; rev:1;) alert tcp $HOME_NET any -> [194.68.59.50] 2311 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203405; rev:1;) alert tcp $HOME_NET any -> [185.148.241.41] 2888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203406; rev:1;) alert tcp $HOME_NET any -> [185.209.85.186] 6420 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203407; rev:1;) alert tcp $HOME_NET any -> [185.209.85.66] 2675 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203408; rev:1;) alert tcp $HOME_NET any -> [185.148.241.53] 4545 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203409; rev:1;) alert tcp $HOME_NET any -> [188.124.167.132] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203410; rev:1;) alert tcp $HOME_NET any -> [185.209.85.180] 7890 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203411; rev:1;) alert tcp $HOME_NET any -> [46.21.154.83] 14486 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203412; rev:1;) alert tcp $HOME_NET any -> [146.255.79.180] 1177 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203413; rev:1;) alert tcp $HOME_NET any -> [204.16.247.51] 1414 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203414; rev:1;) alert tcp $HOME_NET any -> [185.208.211.2] 1818 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203415; rev:1;) alert tcp $HOME_NET any -> [185.208.211.218] 7751 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203416; rev:1;) alert tcp $HOME_NET any -> [181.215.247.89] 2543 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203417; rev:1;) alert tcp $HOME_NET any -> [66.98.121.192] 5555 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203418; rev:1;) alert tcp $HOME_NET any -> [206.123.145.108] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203419; rev:1;) alert tcp $HOME_NET any -> [155.133.31.21] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203420; rev:1;) alert tcp $HOME_NET any -> [185.209.85.64] 4001 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203421; rev:1;) alert tcp $HOME_NET any -> [104.247.219.27] 1717 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203422; rev:1;) alert tcp $HOME_NET any -> [181.215.247.51] 5030 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203423; rev:1;) alert tcp $HOME_NET any -> [185.208.211.76] 3033 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203424; rev:1;) alert tcp $HOME_NET any -> [146.255.79.181] 1818 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203425; rev:1;) alert tcp $HOME_NET any -> [87.255.24.238] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203426; rev:1;) alert tcp $HOME_NET any -> [85.143.202.82] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203427; rev:1;) alert tcp $HOME_NET any -> [182.253.210.130] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203428; rev:1;) alert tcp $HOME_NET any -> [77.246.158.28] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203429; rev:1;) alert tcp $HOME_NET any -> [24.228.185.224] 2222 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203430; rev:1;) alert tcp $HOME_NET any -> [185.148.241.51] 3011 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203431; rev:1;) alert tcp $HOME_NET any -> [185.209.85.183] 5888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203432; rev:1;) alert tcp $HOME_NET any -> [190.4.189.129] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203433; rev:1;) alert tcp $HOME_NET any -> [200.111.167.227] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203434; rev:1;) alert tcp $HOME_NET any -> [185.209.85.65] 4040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203435; rev:1;) alert tcp $HOME_NET any -> [181.215.247.208] 20903 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203436; rev:1;) alert tcp $HOME_NET any -> [103.43.75.105] 1972 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203437; rev:1;) alert tcp $HOME_NET any -> [158.58.131.54] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203438; rev:1;) alert tcp $HOME_NET any -> [181.215.247.66] 8088 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203439; rev:1;) alert tcp $HOME_NET any -> [185.208.211.139] 1864 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203440; rev:1;) alert tcp $HOME_NET any -> [46.47.50.44] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203441; rev:1;) alert tcp $HOME_NET any -> [185.141.62.100] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203442; rev:1;) alert tcp $HOME_NET any -> [46.173.218.66] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203443; rev:1;) alert tcp $HOME_NET any -> [109.234.35.177] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203444; rev:1;) alert tcp $HOME_NET any -> [185.148.241.59] 6692 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203445; rev:1;) alert tcp $HOME_NET any -> [185.168.185.218] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203446; rev:1;) alert tcp $HOME_NET any -> [190.7.199.42] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203447; rev:1;) alert tcp $HOME_NET any -> [93.109.242.134] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203448; rev:1;) alert tcp $HOME_NET any -> [185.125.205.69] 6897 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203449; rev:1;) alert tcp $HOME_NET any -> [65.30.201.40] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203450; rev:1;) alert tcp $HOME_NET any -> [146.255.79.162] 1111 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203451; rev:1;) alert tcp $HOME_NET any -> [185.209.85.188] 3333 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203452; rev:1;) alert tcp $HOME_NET any -> [185.208.211.199] 8773 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203453; rev:1;) alert tcp $HOME_NET any -> [185.117.75.121] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203454; rev:1;) alert tcp $HOME_NET any -> [91.192.100.57] 5050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203455; rev:1;) alert tcp $HOME_NET any -> [185.125.205.70] 2060 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203456; rev:1;) alert tcp $HOME_NET any -> [198.50.170.69] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203457; rev:1;) alert tcp $HOME_NET any -> [109.86.227.152] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203458; rev:1;) alert tcp $HOME_NET any -> [93.170.123.78] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203459; rev:1;) alert tcp $HOME_NET any -> [66.232.212.59] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203460; rev:1;) alert tcp $HOME_NET any -> [83.168.83.29] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203461; rev:1;) alert tcp $HOME_NET any -> [80.53.57.146] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203462; rev:1;) alert tcp $HOME_NET any -> [194.68.59.69] 7791 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203463; rev:1;) alert tcp $HOME_NET any -> [85.143.174.206] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203464; rev:1;) alert tcp $HOME_NET any -> [71.85.72.9] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203465; rev:1;) alert tcp $HOME_NET any -> [185.227.83.55] 2675 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203466; rev:1;) alert tcp $HOME_NET any -> [185.227.83.52] 1987 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203467; rev:1;) alert tcp $HOME_NET any -> [209.121.142.214] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203468; rev:1;) alert tcp $HOME_NET any -> [5.187.0.158] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203469; rev:1;) alert tcp $HOME_NET any -> [185.48.56.134] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203470; rev:1;) alert tcp $HOME_NET any -> [185.148.241.41] 6540 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203471; rev:1;) alert tcp $HOME_NET any -> [172.94.47.7] 6014 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203472; rev:1;) alert tcp $HOME_NET any -> [74.118.139.79] 1414 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203473; rev:1;) alert tcp $HOME_NET any -> [109.234.35.166] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203474; rev:1;) alert tcp $HOME_NET any -> [91.192.100.36] 2675 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203475; rev:1;) alert tcp $HOME_NET any -> [185.220.68.230] 1989 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203476; rev:1;) alert tcp $HOME_NET any -> [185.84.181.72] 4040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203477; rev:1;) alert tcp $HOME_NET any -> [154.127.59.97] 1780 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203478; rev:1;) alert tcp $HOME_NET any -> [185.180.198.78] 443 (msg:"SSLBL: Traffic to malicious host (likely Trickbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203479; rev:1;) alert tcp $HOME_NET any -> [185.159.130.87] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203480; rev:1;) alert tcp $HOME_NET any -> [46.72.175.17] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203481; rev:1;) alert tcp $HOME_NET any -> [172.81.133.35] 1989 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203482; rev:1;) alert tcp $HOME_NET any -> [185.209.85.186] 6022 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203483; rev:1;) alert tcp $HOME_NET any -> [185.51.247.169] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203484; rev:1;) alert tcp $HOME_NET any -> [185.148.241.36] 2071 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203485; rev:1;) alert tcp $HOME_NET any -> [185.209.85.182] 7063 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203486; rev:1;) alert tcp $HOME_NET any -> [92.55.251.211] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203487; rev:1;) alert tcp $HOME_NET any -> [185.208.211.60] 586 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203488; rev:1;) alert tcp $HOME_NET any -> [181.215.247.5] 2442 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203489; rev:1;) alert tcp $HOME_NET any -> [185.227.83.53] 2557 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203490; rev:1;) alert tcp $HOME_NET any -> [94.112.52.197] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203491; rev:1;) alert tcp $HOME_NET any -> [185.209.85.180] 2050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203492; rev:1;) alert tcp $HOME_NET any -> [185.243.131.171] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203493; rev:1;) alert tcp $HOME_NET any -> [80.87.195.247] 443 (msg:"SSLBL: Traffic to malicious host (likely Trickbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203494; rev:1;) alert tcp $HOME_NET any -> [46.243.179.212] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203495; rev:1;) alert tcp $HOME_NET any -> [185.174.172.226] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203496; rev:1;) alert tcp $HOME_NET any -> [62.109.18.210] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203497; rev:1;) alert tcp $HOME_NET any -> [208.75.117.70] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203498; rev:1;) alert tcp $HOME_NET any -> [185.209.85.66] 1985 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203499; rev:1;) alert tcp $HOME_NET any -> [185.209.85.71] 7171 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203500; rev:1;) alert tcp $HOME_NET any -> [185.228.233.169] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203501; rev:1;) alert tcp $HOME_NET any -> [185.208.211.156] 2888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203502; rev:1;) alert tcp $HOME_NET any -> [181.215.247.24] 6789 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203503; rev:1;) alert tcp $HOME_NET any -> [92.53.66.161] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203504; rev:1;) alert tcp $HOME_NET any -> [209.121.142.202] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203505; rev:1;) alert tcp $HOME_NET any -> [203.86.222.142] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203506; rev:1;) alert tcp $HOME_NET any -> [82.202.236.81] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203507; rev:1;) alert tcp $HOME_NET any -> [144.48.51.8] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203508; rev:1;) alert tcp $HOME_NET any -> [185.249.255.77] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203509; rev:1;) alert tcp $HOME_NET any -> [185.208.211.48] 2888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203510; rev:1;) alert tcp $HOME_NET any -> [185.209.85.181] 5541 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203511; rev:1;) alert tcp $HOME_NET any -> [185.208.211.102] 3661 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203512; rev:1;) alert tcp $HOME_NET any -> [195.54.162.77] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203513; rev:1;) alert tcp $HOME_NET any -> [107.144.49.162] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203514; rev:1;) alert tcp $HOME_NET any -> [185.159.129.149] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203515; rev:1;) alert tcp $HOME_NET any -> [109.234.37.89] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203516; rev:1;) alert tcp $HOME_NET any -> [185.148.241.35] 8181 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203517; rev:1;) alert tcp $HOME_NET any -> [194.87.238.137] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203518; rev:1;) alert tcp $HOME_NET any -> [185.209.85.69] 2019 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203519; rev:1;) alert tcp $HOME_NET any -> [46.148.26.11] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203520; rev:1;) alert tcp $HOME_NET any -> [194.68.59.70] 3288 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203521; rev:1;) alert tcp $HOME_NET any -> [5.102.177.205] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203522; rev:1;) alert tcp $HOME_NET any -> [85.217.170.201] 4535 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203523; rev:1;) alert tcp $HOME_NET any -> [85.143.214.226] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203524; rev:1;) alert tcp $HOME_NET any -> [185.209.85.186] 3821 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203525; rev:1;) alert tcp $HOME_NET any -> [185.209.85.72] 8970 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203526; rev:1;) alert tcp $HOME_NET any -> [37.230.112.67] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203527; rev:1;) alert tcp $HOME_NET any -> [185.208.211.64] 7366 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203528; rev:1;) alert tcp $HOME_NET any -> [185.159.128.236] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203529; rev:1;) alert tcp $HOME_NET any -> [80.87.195.120] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203530; rev:1;) alert tcp $HOME_NET any -> [162.244.32.217] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203531; rev:1;) alert tcp $HOME_NET any -> [68.227.31.46] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203532; rev:1;) alert tcp $HOME_NET any -> [81.177.255.76] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203533; rev:1;) alert tcp $HOME_NET any -> [146.255.79.161] 8475 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203534; rev:1;) alert tcp $HOME_NET any -> [91.192.100.33] 3917 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203535; rev:1;) alert tcp $HOME_NET any -> [185.174.175.14] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203536; rev:1;) alert tcp $HOME_NET any -> [92.53.67.190] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203537; rev:1;) alert tcp $HOME_NET any -> [185.4.29.143] 7962 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203538; rev:1;) alert tcp $HOME_NET any -> [185.68.93.12] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203539; rev:1;) alert tcp $HOME_NET any -> [212.92.98.179] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203540; rev:1;) alert tcp $HOME_NET any -> [185.209.85.71] 4181 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203541; rev:1;) alert tcp $HOME_NET any -> [188.209.52.62] 49575 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203542; rev:1;) alert tcp $HOME_NET any -> [95.161.180.42] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203543; rev:1;) alert tcp $HOME_NET any -> [203.86.222.142] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203544; rev:1;) alert tcp $HOME_NET any -> [46.21.249.211] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203545; rev:1;) alert tcp $HOME_NET any -> [185.236.130.126] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203546; rev:1;) alert tcp $HOME_NET any -> [191.6.18.166] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203547; rev:1;) alert tcp $HOME_NET any -> [193.233.62.145] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203548; rev:1;) alert tcp $HOME_NET any -> [193.0.179.140] 80 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203549; rev:1;) alert tcp $HOME_NET any -> [89.37.226.157] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203550; rev:1;) alert tcp $HOME_NET any -> [144.48.51.8] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203551; rev:1;) alert tcp $HOME_NET any -> [176.32.33.9] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203552; rev:1;) alert tcp $HOME_NET any -> [194.87.111.48] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203553; rev:1;) alert tcp $HOME_NET any -> [86.105.1.151] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203554; rev:1;) alert tcp $HOME_NET any -> [172.86.120.111] 443 (msg:"SSLBL: Traffic to malicious host (likely Smoke Loader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203555; rev:1;) alert tcp $HOME_NET any -> [82.146.62.102] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203556; rev:1;) alert tcp $HOME_NET any -> [92.53.91.229] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203557; rev:1;) alert tcp $HOME_NET any -> [195.133.48.9] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203558; rev:1;) alert tcp $HOME_NET any -> [109.95.114.28] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203559; rev:1;) alert tcp $HOME_NET any -> [195.123.237.208] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203560; rev:1;) alert tcp $HOME_NET any -> [185.228.233.185] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203561; rev:1;) alert tcp $HOME_NET any -> [185.228.233.133] 447 (msg:"SSLBL: Traffic to malicious host (likely Trickbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203562; rev:1;) alert tcp $HOME_NET any -> [185.249.255.172] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203563; rev:1;) alert tcp $HOME_NET any -> [78.155.199.161] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203564; rev:1;) alert tcp $HOME_NET any -> [179.107.89.145] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203565; rev:1;) alert tcp $HOME_NET any -> [185.42.192.194] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203566; rev:1;) alert tcp $HOME_NET any -> [185.159.128.224] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203567; rev:1;) alert tcp $HOME_NET any -> [173.220.6.194] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203568; rev:1;) alert tcp $HOME_NET any -> [68.96.73.154] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203569; rev:1;) alert tcp $HOME_NET any -> [95.213.252.243] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203570; rev:1;) alert tcp $HOME_NET any -> [185.223.95.66] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203571; rev:1;) alert tcp $HOME_NET any -> [46.20.207.204] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203572; rev:1;) alert tcp $HOME_NET any -> [195.136.226.11] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203573; rev:1;) alert tcp $HOME_NET any -> [109.234.38.128] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203574; rev:1;) alert tcp $HOME_NET any -> [94.103.81.11] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203575; rev:1;) alert tcp $HOME_NET any -> [185.223.95.108] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203576; rev:1;) alert tcp $HOME_NET any -> [95.213.204.217] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203577; rev:1;) alert tcp $HOME_NET any -> [118.91.178.106] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203578; rev:1;) alert tcp $HOME_NET any -> [91.206.4.216] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203579; rev:1;) alert tcp $HOME_NET any -> [185.228.232.218] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203580; rev:1;) alert tcp $HOME_NET any -> [137.74.159.36] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203581; rev:1;) alert tcp $HOME_NET any -> [185.228.233.23] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203582; rev:1;) alert tcp $HOME_NET any -> [86.105.1.15] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203583; rev:1;) alert tcp $HOME_NET any -> [70.91.134.61] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203584; rev:1;) alert tcp $HOME_NET any -> [130.180.89.70] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203585; rev:1;) alert tcp $HOME_NET any -> [94.103.80.27] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203586; rev:1;) alert tcp $HOME_NET any -> [194.87.103.45] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203587; rev:1;) alert tcp $HOME_NET any -> [176.122.20.28] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203588; rev:1;) alert tcp $HOME_NET any -> [91.243.80.109] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203589; rev:1;) alert tcp $HOME_NET any -> [109.234.39.242] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203590; rev:1;) alert tcp $HOME_NET any -> [85.143.173.177] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203591; rev:1;) alert tcp $HOME_NET any -> [185.159.129.10] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203592; rev:1;) alert tcp $HOME_NET any -> [109.234.37.114] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203593; rev:1;) alert tcp $HOME_NET any -> [90.63.223.63] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203594; rev:1;) alert tcp $HOME_NET any -> [185.26.174.189] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203595; rev:1;) alert tcp $HOME_NET any -> [37.230.114.136] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203596; rev:1;) alert tcp $HOME_NET any -> [176.121.215.149] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203597; rev:1;) alert tcp $HOME_NET any -> [94.103.82.78] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203598; rev:1;) alert tcp $HOME_NET any -> [185.243.131.63] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203599; rev:1;) alert tcp $HOME_NET any -> [85.143.214.12] 447 (msg:"SSLBL: Traffic to malicious host (likely Trickbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203600; rev:1;) alert tcp $HOME_NET any -> [93.181.186.127] 451 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203601; rev:1;) alert tcp $HOME_NET any -> [95.213.252.10] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203602; rev:1;) alert tcp $HOME_NET any -> [65.123.48.221] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203603; rev:1;) alert tcp $HOME_NET any -> [92.53.78.213] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203604; rev:1;) alert tcp $HOME_NET any -> [69.122.117.95] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203605; rev:1;) alert tcp $HOME_NET any -> [146.255.79.186] 5030 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203606; rev:1;) alert tcp $HOME_NET any -> [146.185.254.16] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203607; rev:1;) alert tcp $HOME_NET any -> [85.143.222.45] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203608; rev:1;) alert tcp $HOME_NET any -> [185.249.254.45] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203609; rev:1;) alert tcp $HOME_NET any -> [189.84.125.37] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203610; rev:1;) alert tcp $HOME_NET any -> [89.37.56.24] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203611; rev:1;) alert tcp $HOME_NET any -> [94.103.82.65] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203612; rev:1;) alert tcp $HOME_NET any -> [185.159.128.158] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203613; rev:1;) alert tcp $HOME_NET any -> [207.140.15.87] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203614; rev:1;) alert tcp $HOME_NET any -> [89.223.24.221] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203615; rev:1;) alert tcp $HOME_NET any -> [86.23.59.198] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203616; rev:1;) alert tcp $HOME_NET any -> [92.53.91.229] 447 (msg:"SSLBL: Traffic to malicious host (likely Trickbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203617; rev:1;) alert tcp $HOME_NET any -> [195.133.196.2] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203618; rev:1;) alert tcp $HOME_NET any -> [185.26.174.189] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203619; rev:1;) alert tcp $HOME_NET any -> [193.233.62.127] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203620; rev:1;) alert tcp $HOME_NET any -> [195.123.216.102] 447 (msg:"SSLBL: Traffic to malicious host (likely Trickbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203621; rev:1;) alert tcp $HOME_NET any -> [85.143.221.60] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203622; rev:1;) alert tcp $HOME_NET any -> [185.158.155.56] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203623; rev:1;) alert tcp $HOME_NET any -> [195.133.147.9] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203624; rev:1;) alert tcp $HOME_NET any -> [31.41.81.47] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203625; rev:1;) alert tcp $HOME_NET any -> [78.155.206.228] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203626; rev:1;) alert tcp $HOME_NET any -> [192.225.226.15] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203627; rev:1;) alert tcp $HOME_NET any -> [94.230.20.47] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203628; rev:1;) alert tcp $HOME_NET any -> [95.213.235.54] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203629; rev:1;) alert tcp $HOME_NET any -> [109.234.38.199] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203630; rev:1;) alert tcp $HOME_NET any -> [109.234.35.230] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203631; rev:1;) alert tcp $HOME_NET any -> [31.134.52.42] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203632; rev:1;) alert tcp $HOME_NET any -> [185.159.128.75] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203633; rev:1;) alert tcp $HOME_NET any -> [185.174.173.116] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203634; rev:1;) alert tcp $HOME_NET any -> [93.181.186.127] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203635; rev:1;) alert tcp $HOME_NET any -> [185.56.90.77] 19000 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203636; rev:1;) alert tcp $HOME_NET any -> [185.228.232.14] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203637; rev:1;) alert tcp $HOME_NET any -> [95.181.179.96] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203638; rev:1;) alert tcp $HOME_NET any -> [192.95.35.78] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203639; rev:1;) alert tcp $HOME_NET any -> [178.32.52.15] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203640; rev:1;) alert tcp $HOME_NET any -> [31.131.27.106] 447 (msg:"SSLBL: Traffic to malicious host (likely Trickbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203641; rev:1;) alert tcp $HOME_NET any -> [82.146.59.117] 443 (msg:"SSLBL: Traffic to malicious host (likely Trickbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203642; rev:1;) alert tcp $HOME_NET any -> [85.222.109.54] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203643; rev:1;) alert tcp $HOME_NET any -> [195.123.213.188] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203644; rev:1;) alert tcp $HOME_NET any -> [93.95.97.136] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203645; rev:1;) alert tcp $HOME_NET any -> [188.227.72.195] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203646; rev:1;) alert tcp $HOME_NET any -> [92.53.78.236] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203647; rev:1;) alert tcp $HOME_NET any -> [185.228.232.215] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203648; rev:1;) alert tcp $HOME_NET any -> [109.95.113.130] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203649; rev:1;) alert tcp $HOME_NET any -> [199.247.31.200] 443 (msg:"SSLBL: Traffic to malicious host (likely Corebot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203650; rev:1;) alert tcp $HOME_NET any -> [186.2.168.150] 443 (msg:"SSLBL: Traffic to malicious host (likely QuantLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203651; rev:1;) alert tcp $HOME_NET any -> [82.214.141.134] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203652; rev:1;) alert tcp $HOME_NET any -> [178.209.40.104] 443 (msg:"SSLBL: Traffic to malicious host (likely Corebot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203653; rev:1;) alert tcp $HOME_NET any -> [195.123.233.83] 443 (msg:"SSLBL: Traffic to malicious host (likely Corebot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203654; rev:1;) alert tcp $HOME_NET any -> [86.105.18.236] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203655; rev:1;) alert tcp $HOME_NET any -> [31.131.26.13] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203656; rev:1;) alert tcp $HOME_NET any -> [91.243.81.13] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203657; rev:1;) alert tcp $HOME_NET any -> [5.188.231.226] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203658; rev:1;) alert tcp $HOME_NET any -> [85.143.175.248] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203659; rev:1;) alert tcp $HOME_NET any -> [81.227.0.215] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203660; rev:1;) alert tcp $HOME_NET any -> [109.173.183.245] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203661; rev:1;) alert tcp $HOME_NET any -> [23.105.131.139] 2023 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203662; rev:1;) alert tcp $HOME_NET any -> [109.234.35.3] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203663; rev:1;) alert tcp $HOME_NET any -> [185.55.64.47] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203664; rev:1;) alert tcp $HOME_NET any -> [82.202.226.62] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203665; rev:1;) alert tcp $HOME_NET any -> [66.70.218.34] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203666; rev:1;) alert tcp $HOME_NET any -> [5.8.88.166] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203667; rev:1;) alert tcp $HOME_NET any -> [192.251.231.14] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203668; rev:1;) alert tcp $HOME_NET any -> [31.134.60.181] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203669; rev:1;) alert tcp $HOME_NET any -> [31.172.177.90] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203670; rev:1;) alert tcp $HOME_NET any -> [185.180.196.109] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203671; rev:1;) alert tcp $HOME_NET any -> [212.14.51.56] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203672; rev:1;) alert tcp $HOME_NET any -> [185.209.85.75] 7768 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203673; rev:1;) alert tcp $HOME_NET any -> [185.180.196.99] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203674; rev:1;) alert tcp $HOME_NET any -> [65.40.207.151] 995 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203675; rev:1;) alert tcp $HOME_NET any -> [185.180.197.58] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203676; rev:1;) alert tcp $HOME_NET any -> [195.133.146.156] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203677; rev:1;) alert tcp $HOME_NET any -> [217.63.197.185] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203678; rev:1;) alert tcp $HOME_NET any -> [5.255.94.80] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203679; rev:1;) alert tcp $HOME_NET any -> [91.243.80.131] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203680; rev:1;) alert tcp $HOME_NET any -> [94.177.12.145] 443 (msg:"SSLBL: Traffic to malicious host (likely Corebot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203681; rev:1;) alert tcp $HOME_NET any -> [138.128.5.96] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203682; rev:1;) alert tcp $HOME_NET any -> [178.170.244.36] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203683; rev:1;) alert tcp $HOME_NET any -> [46.21.249.49] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203684; rev:1;) alert tcp $HOME_NET any -> [46.249.62.206] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203685; rev:1;) alert tcp $HOME_NET any -> [185.246.65.222] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203686; rev:1;) alert tcp $HOME_NET any -> [46.249.62.219] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203687; rev:1;) alert tcp $HOME_NET any -> [5.63.158.236] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203688; rev:1;) alert tcp $HOME_NET any -> [134.0.115.63] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203689; rev:1;) alert tcp $HOME_NET any -> [45.77.61.121] 443 (msg:"SSLBL: Traffic to malicious host (likely Corebot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203690; rev:1;) alert tcp $HOME_NET any -> [89.248.171.38] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203691; rev:1;) alert tcp $HOME_NET any -> [185.209.85.73] 2141 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203692; rev:1;) alert tcp $HOME_NET any -> [192.71.247.158] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203693; rev:1;) alert tcp $HOME_NET any -> [199.247.7.16] 443 (msg:"SSLBL: Traffic to malicious host (likely Corebot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203694; rev:1;) alert tcp $HOME_NET any -> [109.234.35.121] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203695; rev:1;) alert tcp $HOME_NET any -> [37.220.31.11] 443 (msg:"SSLBL: Traffic to malicious host (likely Corebot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203696; rev:1;) alert tcp $HOME_NET any -> [91.221.36.71] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203697; rev:1;) alert tcp $HOME_NET any -> [185.228.233.229] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203698; rev:1;) alert tcp $HOME_NET any -> [46.148.26.106] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203699; rev:1;) alert tcp $HOME_NET any -> [23.105.131.148] 4001 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203700; rev:1;) alert tcp $HOME_NET any -> [91.243.80.21] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203701; rev:1;) alert tcp $HOME_NET any -> [185.227.83.36] 7575 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203702; rev:1;) alert tcp $HOME_NET any -> [185.212.149.48] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203703; rev:1;) alert tcp $HOME_NET any -> [86.105.18.64] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203704; rev:1;) alert tcp $HOME_NET any -> [185.68.93.41] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203705; rev:1;) alert tcp $HOME_NET any -> [95.46.8.65] 443 (msg:"SSLBL: Traffic to malicious host (likely Cobalt C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203706; rev:1;) alert tcp $HOME_NET any -> [181.175.124.212] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203707; rev:1;) alert tcp $HOME_NET any -> [81.176.239.167] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203708; rev:1;) alert tcp $HOME_NET any -> [89.35.228.199] 2067 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203709; rev:1;) alert tcp $HOME_NET any -> [37.187.54.76] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203710; rev:1;) alert tcp $HOME_NET any -> [37.187.54.76] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203711; rev:1;) alert tcp $HOME_NET any -> [81.169.128.232] 4743 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203712; rev:1;) alert tcp $HOME_NET any -> [194.87.236.45] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203713; rev:1;) alert tcp $HOME_NET any -> [46.21.249.52] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203714; rev:1;) alert tcp $HOME_NET any -> [91.192.100.5] 8877 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203715; rev:1;) alert tcp $HOME_NET any -> [194.87.235.92] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203716; rev:1;) alert tcp $HOME_NET any -> [210.187.214.162] 9349 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203717; rev:1;) alert tcp $HOME_NET any -> [31.171.155.33] 1215 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203718; rev:1;) alert tcp $HOME_NET any -> [213.183.58.36] 6774 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203719; rev:1;) alert tcp $HOME_NET any -> [212.92.98.106] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203720; rev:1;) alert tcp $HOME_NET any -> [176.223.111.157] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203721; rev:1;) alert tcp $HOME_NET any -> [213.152.162.84] 56293 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203722; rev:1;) alert tcp $HOME_NET any -> [185.48.239.33] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203723; rev:1;) alert tcp $HOME_NET any -> [213.183.58.49] 7741 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203724; rev:1;) alert tcp $HOME_NET any -> [213.183.58.6] 2378 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203725; rev:1;) alert tcp $HOME_NET any -> [5.133.179.117] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203726; rev:1;) alert tcp $HOME_NET any -> [213.183.58.33] 1996 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203727; rev:1;) alert tcp $HOME_NET any -> [185.208.211.33] 2060 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203728; rev:1;) alert tcp $HOME_NET any -> [78.130.176.198] 7798 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203729; rev:1;) alert tcp $HOME_NET any -> [45.113.70.163] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203730; rev:1;) alert tcp $HOME_NET any -> [185.145.44.174] 1313 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203731; rev:1;) alert tcp $HOME_NET any -> [5.187.49.225] 8088 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203732; rev:1;) alert tcp $HOME_NET any -> [195.133.144.185] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203733; rev:1;) alert tcp $HOME_NET any -> [194.87.234.173] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203734; rev:1;) alert tcp $HOME_NET any -> [194.87.237.93] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203735; rev:1;) alert tcp $HOME_NET any -> [160.202.163.240] 8877 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203736; rev:1;) alert tcp $HOME_NET any -> [95.140.125.122] 7499 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203737; rev:1;) alert tcp $HOME_NET any -> [212.92.98.7] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203738; rev:1;) alert tcp $HOME_NET any -> [206.255.220.53] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203739; rev:1;) alert tcp $HOME_NET any -> [212.14.51.56] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203740; rev:1;) alert tcp $HOME_NET any -> [185.140.53.81] 1810 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203741; rev:1;) alert tcp $HOME_NET any -> [91.192.100.25] 7799 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203742; rev:1;) alert tcp $HOME_NET any -> [185.175.158.202] 443 (msg:"SSLBL: Traffic to malicious host (likely Cobalt C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203743; rev:1;) alert tcp $HOME_NET any -> [185.211.247.31] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203744; rev:1;) alert tcp $HOME_NET any -> [174.127.99.218] 8088 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203745; rev:1;) alert tcp $HOME_NET any -> [185.212.149.47] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203746; rev:1;) alert tcp $HOME_NET any -> [92.114.92.11] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203747; rev:1;) alert tcp $HOME_NET any -> [5.206.224.22] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203748; rev:1;) alert tcp $HOME_NET any -> [89.45.67.21] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203749; rev:1;) alert tcp $HOME_NET any -> [173.212.248.207] 5051 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203750; rev:1;) alert tcp $HOME_NET any -> [178.33.108.70] 2050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203751; rev:1;) alert tcp $HOME_NET any -> [194.87.239.78] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203752; rev:1;) alert tcp $HOME_NET any -> [179.43.147.247] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203753; rev:1;) alert tcp $HOME_NET any -> [185.24.232.163] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203754; rev:1;) alert tcp $HOME_NET any -> [78.155.219.55] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203755; rev:1;) alert tcp $HOME_NET any -> [212.14.51.43] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203756; rev:1;) alert tcp $HOME_NET any -> [185.208.211.171] 7119 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203757; rev:1;) alert tcp $HOME_NET any -> [185.189.112.157] 3040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203758; rev:1;) alert tcp $HOME_NET any -> [160.202.163.200] 1991 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203759; rev:1;) alert tcp $HOME_NET any -> [79.172.242.94] 6692 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203760; rev:1;) alert tcp $HOME_NET any -> [173.254.223.83] 5434 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203761; rev:1;) alert tcp $HOME_NET any -> [185.209.85.177] 3076 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203762; rev:1;) alert tcp $HOME_NET any -> [178.124.140.154] 1994 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203763; rev:1;) alert tcp $HOME_NET any -> [69.64.251.41] 2565 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203764; rev:1;) alert tcp $HOME_NET any -> [185.171.25.8] 2103 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203765; rev:1;) alert tcp $HOME_NET any -> [91.192.100.44] 7075 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203766; rev:1;) alert tcp $HOME_NET any -> [45.32.24.40] 3033 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203767; rev:1;) alert tcp $HOME_NET any -> [185.209.85.69] 3940 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203768; rev:1;) alert tcp $HOME_NET any -> [95.141.43.197] 2212 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203769; rev:1;) alert tcp $HOME_NET any -> [23.105.131.186] 4455 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203770; rev:1;) alert tcp $HOME_NET any -> [103.68.223.149] 1991 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203771; rev:1;) alert tcp $HOME_NET any -> [185.145.45.33] 32266 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203772; rev:1;) alert tcp $HOME_NET any -> [95.141.43.194] 3333 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203773; rev:1;) alert tcp $HOME_NET any -> [79.172.242.33] 7037 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203774; rev:1;) alert tcp $HOME_NET any -> [191.101.22.86] 8181 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203775; rev:1;) alert tcp $HOME_NET any -> [185.227.83.38] 2019 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203776; rev:1;) alert tcp $HOME_NET any -> [84.38.135.148] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203777; rev:1;) alert tcp $HOME_NET any -> [178.175.138.146] 1987 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203778; rev:1;) alert tcp $HOME_NET any -> [185.227.83.35] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203779; rev:1;) alert tcp $HOME_NET any -> [185.171.25.28] 7119 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203780; rev:1;) alert tcp $HOME_NET any -> [185.209.85.70] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203781; rev:1;) alert tcp $HOME_NET any -> [84.200.84.224] 443 (msg:"SSLBL: Traffic to malicious host (likely Corebot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203782; rev:1;) alert tcp $HOME_NET any -> [185.227.83.54] 4781 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203783; rev:1;) alert tcp $HOME_NET any -> [178.175.138.209] 1987 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203784; rev:1;) alert tcp $HOME_NET any -> [191.101.22.5] 4040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203785; rev:1;) alert tcp $HOME_NET any -> [213.183.58.37] 1818 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203786; rev:1;) alert tcp $HOME_NET any -> [5.196.121.163] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203787; rev:1;) alert tcp $HOME_NET any -> [185.227.83.43] 2222 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203788; rev:1;) alert tcp $HOME_NET any -> [69.124.38.159] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203789; rev:1;) alert tcp $HOME_NET any -> [95.213.204.124] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203790; rev:1;) alert tcp $HOME_NET any -> [185.45.192.185] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203791; rev:1;) alert tcp $HOME_NET any -> [154.16.93.178] 5678 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203792; rev:1;) alert tcp $HOME_NET any -> [91.192.100.62] 6789 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203793; rev:1;) alert tcp $HOME_NET any -> [185.171.25.11] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203794; rev:1;) alert tcp $HOME_NET any -> [185.145.45.9] 2526 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203795; rev:1;) alert tcp $HOME_NET any -> [185.163.45.48] 1992 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203796; rev:1;) alert tcp $HOME_NET any -> [137.74.157.92] 2020 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203797; rev:1;) alert tcp $HOME_NET any -> [185.171.25.8] 1313 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203798; rev:1;) alert tcp $HOME_NET any -> [185.101.34.90] 1789 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203799; rev:1;) alert tcp $HOME_NET any -> [185.29.8.119] 2020 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203800; rev:1;) alert tcp $HOME_NET any -> [185.171.25.28] 2222 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203801; rev:1;) alert tcp $HOME_NET any -> [195.133.1.211] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203802; rev:1;) alert tcp $HOME_NET any -> [185.24.232.164] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203803; rev:1;) alert tcp $HOME_NET any -> [194.68.59.38] 10101 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203804; rev:1;) alert tcp $HOME_NET any -> [178.175.138.231] 8181 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203805; rev:1;) alert tcp $HOME_NET any -> [62.102.148.156] 64271 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203806; rev:1;) alert tcp $HOME_NET any -> [89.35.228.196] 1989 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203807; rev:1;) alert tcp $HOME_NET any -> [185.227.83.52] 7110 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203808; rev:1;) alert tcp $HOME_NET any -> [67.215.9.226] 5680 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203809; rev:1;) alert tcp $HOME_NET any -> [194.68.59.34] 3366 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203810; rev:1;) alert tcp $HOME_NET any -> [79.172.242.97] 3917 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203811; rev:1;) alert tcp $HOME_NET any -> [91.192.100.43] 1991 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203812; rev:1;) alert tcp $HOME_NET any -> [109.234.36.11] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203813; rev:1;) alert tcp $HOME_NET any -> [78.130.176.186] 8181 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203814; rev:1;) alert tcp $HOME_NET any -> [195.133.144.162] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203815; rev:1;) alert tcp $HOME_NET any -> [92.53.77.125] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203816; rev:1;) alert tcp $HOME_NET any -> [78.130.176.178] 9000 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203817; rev:1;) alert tcp $HOME_NET any -> [176.10.100.155] 6789 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203818; rev:1;) alert tcp $HOME_NET any -> [185.227.83.52] 70 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203819; rev:1;) alert tcp $HOME_NET any -> [219.92.131.188] 3255 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203820; rev:1;) alert tcp $HOME_NET any -> [91.192.100.2] 4914 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203821; rev:1;) alert tcp $HOME_NET any -> [191.101.22.29] 53826 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203822; rev:1;) alert tcp $HOME_NET any -> [213.183.58.53] 6643 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203823; rev:1;) alert tcp $HOME_NET any -> [23.105.131.191] 8088 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203824; rev:1;) alert tcp $HOME_NET any -> [191.101.27.3] 4933 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203825; rev:1;) alert tcp $HOME_NET any -> [144.217.20.62] 2525 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203826; rev:1;) alert tcp $HOME_NET any -> [91.192.100.26] 8102 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203827; rev:1;) alert tcp $HOME_NET any -> [60.50.229.87] 9349 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203828; rev:1;) alert tcp $HOME_NET any -> [146.255.79.167] 4343 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203829; rev:1;) alert tcp $HOME_NET any -> [174.127.99.175] 7039 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203830; rev:1;) alert tcp $HOME_NET any -> [176.10.100.157] 3020 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203831; rev:1;) alert tcp $HOME_NET any -> [185.227.83.36] 1956 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203832; rev:1;) alert tcp $HOME_NET any -> [185.145.45.81] 2888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203833; rev:1;) alert tcp $HOME_NET any -> [86.105.1.116] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203834; rev:1;) alert tcp $HOME_NET any -> [216.38.7.248] 1212 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203835; rev:1;) alert tcp $HOME_NET any -> [91.192.100.19] 4101 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203836; rev:1;) alert tcp $HOME_NET any -> [92.53.78.158] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203837; rev:1;) alert tcp $HOME_NET any -> [91.192.100.20] 8088 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203838; rev:1;) alert tcp $HOME_NET any -> [174.127.99.139] 2888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203839; rev:1;) alert tcp $HOME_NET any -> [185.62.188.94] 49575 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203840; rev:1;) alert tcp $HOME_NET any -> [185.236.130.122] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203841; rev:1;) alert tcp $HOME_NET any -> [91.192.100.27] 6042 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203842; rev:1;) alert tcp $HOME_NET any -> [185.236.130.28] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203843; rev:1;) alert tcp $HOME_NET any -> [213.208.129.203] 100 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203844; rev:1;) alert tcp $HOME_NET any -> [185.171.25.10] 5534 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203845; rev:1;) alert tcp $HOME_NET any -> [23.105.131.159] 1002 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203846; rev:1;) alert tcp $HOME_NET any -> [213.152.162.165] 34071 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203847; rev:1;) alert tcp $HOME_NET any -> [94.242.57.57] 443 (msg:"SSLBL: Traffic to malicious host (likely Cobalt C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203848; rev:1;) alert tcp $HOME_NET any -> [213.208.129.199] 3422 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203849; rev:1;) alert tcp $HOME_NET any -> [85.214.62.153] 4143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203850; rev:1;) alert tcp $HOME_NET any -> [205.178.144.133] 4143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203851; rev:1;) alert tcp $HOME_NET any -> [95.140.125.115] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203852; rev:1;) alert tcp $HOME_NET any -> [213.183.58.36] 6466 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203853; rev:1;) alert tcp $HOME_NET any -> [23.105.131.132] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203854; rev:1;) alert tcp $HOME_NET any -> [95.140.125.72] 2555 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203855; rev:1;) alert tcp $HOME_NET any -> [185.236.130.123] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203856; rev:1;) alert tcp $HOME_NET any -> [185.227.83.36] 3939 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203857; rev:1;) alert tcp $HOME_NET any -> [77.48.28.226] 7383 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203858; rev:1;) alert tcp $HOME_NET any -> [185.171.25.6] 1985 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203859; rev:1;) alert tcp $HOME_NET any -> [181.215.247.126] 4201 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203860; rev:1;) alert tcp $HOME_NET any -> [185.186.244.86] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203861; rev:1;) alert tcp $HOME_NET any -> [154.16.93.177] 3465 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203862; rev:1;) alert tcp $HOME_NET any -> [191.101.22.139] 18993 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203863; rev:1;) alert tcp $HOME_NET any -> [178.175.138.200] 1722 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203864; rev:1;) alert tcp $HOME_NET any -> [66.189.228.49] 995 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203865; rev:1;) alert tcp $HOME_NET any -> [78.155.218.18] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203866; rev:1;) alert tcp $HOME_NET any -> [149.255.36.229] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203867; rev:1;) alert tcp $HOME_NET any -> [185.227.83.45] 6890 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203868; rev:1;) alert tcp $HOME_NET any -> [45.77.82.205] 2002 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203869; rev:1;) alert tcp $HOME_NET any -> [95.213.194.9] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203870; rev:1;) alert tcp $HOME_NET any -> [94.103.82.18] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203871; rev:1;) alert tcp $HOME_NET any -> [95.140.125.34] 2888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203872; rev:1;) alert tcp $HOME_NET any -> [185.56.90.79] 2000 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203873; rev:1;) alert tcp $HOME_NET any -> [216.38.7.252] 8585 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203874; rev:1;) alert tcp $HOME_NET any -> [23.105.131.192] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203875; rev:1;) alert tcp $HOME_NET any -> [191.101.22.24] 4914 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203876; rev:1;) alert tcp $HOME_NET any -> [185.84.181.99] 2258 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203877; rev:1;) alert tcp $HOME_NET any -> [91.192.100.60] 1985 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203878; rev:1;) alert tcp $HOME_NET any -> [194.87.95.2] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203879; rev:1;) alert tcp $HOME_NET any -> [174.127.99.165] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203880; rev:1;) alert tcp $HOME_NET any -> [62.109.27.157] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203881; rev:1;) alert tcp $HOME_NET any -> [37.230.115.201] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203882; rev:1;) alert tcp $HOME_NET any -> [94.250.252.22] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203883; rev:1;) alert tcp $HOME_NET any -> [185.228.232.87] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203884; rev:1;) alert tcp $HOME_NET any -> [77.244.215.158] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203885; rev:1;) alert tcp $HOME_NET any -> [174.127.99.214] 1313 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203886; rev:1;) alert tcp $HOME_NET any -> [78.130.176.162] 5543 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203887; rev:1;) alert tcp $HOME_NET any -> [137.74.157.90] 2020 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203888; rev:1;) alert tcp $HOME_NET any -> [194.68.59.33] 7321 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203889; rev:1;) alert tcp $HOME_NET any -> [160.202.163.242] 2000 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203890; rev:1;) alert tcp $HOME_NET any -> [46.21.248.108] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203891; rev:1;) alert tcp $HOME_NET any -> [185.171.25.10] 5531 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203892; rev:1;) alert tcp $HOME_NET any -> [107.155.72.119] 1602 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203893; rev:1;) alert tcp $HOME_NET any -> [185.227.83.49] 6060 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203894; rev:1;) alert tcp $HOME_NET any -> [185.145.45.176] 2888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203895; rev:1;) alert tcp $HOME_NET any -> [212.7.208.71] 1979 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203896; rev:1;) alert tcp $HOME_NET any -> [213.183.58.31] 4040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203897; rev:1;) alert tcp $HOME_NET any -> [146.255.79.174] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203898; rev:1;) alert tcp $HOME_NET any -> [109.234.34.110] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203899; rev:1;) alert tcp $HOME_NET any -> [191.101.22.27] 11339 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203900; rev:1;) alert tcp $HOME_NET any -> [185.158.114.129] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203901; rev:1;) alert tcp $HOME_NET any -> [172.104.10.121] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203902; rev:1;) alert tcp $HOME_NET any -> [95.140.125.123] 2018 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203903; rev:1;) alert tcp $HOME_NET any -> [194.87.93.225] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203904; rev:1;) alert tcp $HOME_NET any -> [46.19.137.137] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203905; rev:1;) alert tcp $HOME_NET any -> [185.140.53.212] 2000 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203906; rev:1;) alert tcp $HOME_NET any -> [194.87.92.147] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203907; rev:1;) alert tcp $HOME_NET any -> [109.234.36.181] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203908; rev:1;) alert tcp $HOME_NET any -> [191.96.15.135] 2675 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203909; rev:1;) alert tcp $HOME_NET any -> [94.103.80.134] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203910; rev:1;) alert tcp $HOME_NET any -> [95.213.237.49] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203911; rev:1;) alert tcp $HOME_NET any -> [212.7.218.56] 9480 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203912; rev:1;) alert tcp $HOME_NET any -> [141.255.167.124] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203913; rev:1;) alert tcp $HOME_NET any -> [62.109.25.11] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203914; rev:1;) alert tcp $HOME_NET any -> [37.230.114.93] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203915; rev:1;) alert tcp $HOME_NET any -> [92.63.106.43] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203916; rev:1;) alert tcp $HOME_NET any -> [78.155.218.189] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203917; rev:1;) alert tcp $HOME_NET any -> [95.154.199.237] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203918; rev:1;) alert tcp $HOME_NET any -> [82.146.57.127] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203919; rev:1;) alert tcp $HOME_NET any -> [78.24.218.206] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203920; rev:1;) alert tcp $HOME_NET any -> [185.227.83.34] 2012 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203921; rev:1;) alert tcp $HOME_NET any -> [194.68.59.34] 9125 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203922; rev:1;) alert tcp $HOME_NET any -> [213.183.58.26] 5011 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203923; rev:1;) alert tcp $HOME_NET any -> [62.109.26.251] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203924; rev:1;) alert tcp $HOME_NET any -> [109.234.37.132] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203925; rev:1;) alert tcp $HOME_NET any -> [194.87.145.179] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203926; rev:1;) alert tcp $HOME_NET any -> [95.213.195.169] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203927; rev:1;) alert tcp $HOME_NET any -> [184.155.19.94] 2222 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203928; rev:1;) alert tcp $HOME_NET any -> [73.76.201.210] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203929; rev:1;) alert tcp $HOME_NET any -> [131.108.170.231] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203930; rev:1;) alert tcp $HOME_NET any -> [93.113.45.10] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203931; rev:1;) alert tcp $HOME_NET any -> [185.234.15.7] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203932; rev:1;) alert tcp $HOME_NET any -> [37.230.115.129] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203933; rev:1;) alert tcp $HOME_NET any -> [5.188.231.3] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203934; rev:1;) alert tcp $HOME_NET any -> [193.124.117.229] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203935; rev:1;) alert tcp $HOME_NET any -> [5.188.231.141] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203936; rev:1;) alert tcp $HOME_NET any -> [5.188.231.7] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203937; rev:1;) alert tcp $HOME_NET any -> [178.159.36.92] 443 (msg:"SSLBL: Traffic to malicious host (likely LockPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203938; rev:1;) alert tcp $HOME_NET any -> [89.36.214.238] 443 (msg:"SSLBL: Traffic to malicious host (likely Downloader.AuotIT.ZLIB C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203939; rev:1;) alert tcp $HOME_NET any -> [203.24.188.166] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203940; rev:1;) alert tcp $HOME_NET any -> [94.177.229.24] 443 (msg:"SSLBL: Traffic to malicious host (likely Downloader.AuotIT.ZLIB C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203941; rev:1;) alert tcp $HOME_NET any -> [176.31.46.70] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203942; rev:1;) alert tcp $HOME_NET any -> [185.106.120.201] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203943; rev:1;) alert tcp $HOME_NET any -> [66.222.48.40] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203944; rev:1;) alert tcp $HOME_NET any -> [86.27.41.234] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203945; rev:1;) alert tcp $HOME_NET any -> [95.213.251.136] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203946; rev:1;) alert tcp $HOME_NET any -> [46.30.45.208] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203947; rev:1;) alert tcp $HOME_NET any -> [98.191.134.121] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203948; rev:1;) alert tcp $HOME_NET any -> [92.53.91.109] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203949; rev:1;) alert tcp $HOME_NET any -> [194.87.238.84] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203950; rev:1;) alert tcp $HOME_NET any -> [5.8.88.133] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203951; rev:1;) alert tcp $HOME_NET any -> [89.18.27.155] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203952; rev:1;) alert tcp $HOME_NET any -> [146.255.79.187] 9010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203953; rev:1;) alert tcp $HOME_NET any -> [145.239.21.254] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203954; rev:1;) alert tcp $HOME_NET any -> [185.101.34.84] 2675 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203955; rev:1;) alert tcp $HOME_NET any -> [77.48.28.201] 22777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203956; rev:1;) alert tcp $HOME_NET any -> [190.123.44.141] 1501 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203957; rev:1;) alert tcp $HOME_NET any -> [185.227.83.56] 3052 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203958; rev:1;) alert tcp $HOME_NET any -> [85.204.49.128] 6088 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203959; rev:1;) alert tcp $HOME_NET any -> [151.106.2.127] 7050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203960; rev:1;) alert tcp $HOME_NET any -> [195.133.201.94] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203961; rev:1;) alert tcp $HOME_NET any -> [78.130.176.192] 6796 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203962; rev:1;) alert tcp $HOME_NET any -> [213.183.58.3] 5097 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203963; rev:1;) alert tcp $HOME_NET any -> [104.236.172.37] 4143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203964; rev:1;) alert tcp $HOME_NET any -> [45.58.49.244] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203965; rev:1;) alert tcp $HOME_NET any -> [95.46.114.118] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203966; rev:1;) alert tcp $HOME_NET any -> [185.82.217.96] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203967; rev:1;) alert tcp $HOME_NET any -> [191.101.22.150] 2889 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203968; rev:1;) alert tcp $HOME_NET any -> [93.170.123.151] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203969; rev:1;) alert tcp $HOME_NET any -> [46.8.158.34] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203970; rev:1;) alert tcp $HOME_NET any -> [95.46.98.93] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203971; rev:1;) alert tcp $HOME_NET any -> [162.248.246.229] 4050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203972; rev:1;) alert tcp $HOME_NET any -> [107.170.231.118] 4143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203973; rev:1;) alert tcp $HOME_NET any -> [94.242.58.113] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203974; rev:1;) alert tcp $HOME_NET any -> [191.101.22.101] 1020 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203975; rev:1;) alert tcp $HOME_NET any -> [192.254.173.150] 4443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203976; rev:1;) alert tcp $HOME_NET any -> [27.102.107.180] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203977; rev:1;) alert tcp $HOME_NET any -> [185.161.210.92] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203978; rev:1;) alert tcp $HOME_NET any -> [92.53.66.162] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203979; rev:1;) alert tcp $HOME_NET any -> [94.75.240.80] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203980; rev:1;) alert tcp $HOME_NET any -> [188.120.243.242] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203981; rev:1;) alert tcp $HOME_NET any -> [94.250.253.142] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203982; rev:1;) alert tcp $HOME_NET any -> [194.87.236.228] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203983; rev:1;) alert tcp $HOME_NET any -> [82.146.48.241] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203984; rev:1;) alert tcp $HOME_NET any -> [193.124.117.189] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203985; rev:1;) alert tcp $HOME_NET any -> [176.56.237.133] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203986; rev:1;) alert tcp $HOME_NET any -> [200.111.97.235] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203987; rev:1;) alert tcp $HOME_NET any -> [195.2.253.127] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203988; rev:1;) alert tcp $HOME_NET any -> [94.250.255.50] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203989; rev:1;) alert tcp $HOME_NET any -> [191.101.22.163] 3348 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203990; rev:1;) alert tcp $HOME_NET any -> [213.183.58.56] 1997 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203991; rev:1;) alert tcp $HOME_NET any -> [185.224.133.57] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203992; rev:1;) alert tcp $HOME_NET any -> [191.101.22.2] 1990 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203993; rev:1;) alert tcp $HOME_NET any -> [185.171.25.4] 1988 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203994; rev:1;) alert tcp $HOME_NET any -> [46.8.158.149] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203995; rev:1;) alert tcp $HOME_NET any -> [212.7.208.82] 6060 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203996; rev:1;) alert tcp $HOME_NET any -> [67.209.219.92] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203997; rev:1;) alert tcp $HOME_NET any -> [179.43.147.200] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203998; rev:1;) alert tcp $HOME_NET any -> [194.68.59.32] 2323 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203999; rev:1;) alert tcp $HOME_NET any -> [178.33.182.138] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204000; rev:1;) alert tcp $HOME_NET any -> [109.120.155.23] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204001; rev:1;) alert tcp $HOME_NET any -> [86.105.1.122] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204002; rev:1;) alert tcp $HOME_NET any -> [185.198.58.164] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204003; rev:1;) alert tcp $HOME_NET any -> [185.186.140.192] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204004; rev:1;) alert tcp $HOME_NET any -> [5.200.55.47] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204005; rev:1;) alert tcp $HOME_NET any -> [95.213.204.105] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204006; rev:1;) alert tcp $HOME_NET any -> [173.212.227.54] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204007; rev:1;) alert tcp $HOME_NET any -> [138.197.255.18] 4143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204008; rev:1;) alert tcp $HOME_NET any -> [185.80.130.32] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204009; rev:1;) alert tcp $HOME_NET any -> [62.109.16.70] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204010; rev:1;) alert tcp $HOME_NET any -> [62.109.26.193] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204011; rev:1;) alert tcp $HOME_NET any -> [185.159.130.63] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204012; rev:1;) alert tcp $HOME_NET any -> [27.102.66.99] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204013; rev:1;) alert tcp $HOME_NET any -> [5.133.11.56] 1840 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204014; rev:1;) alert tcp $HOME_NET any -> [185.200.117.131] 3567 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204015; rev:1;) alert tcp $HOME_NET any -> [185.22.173.239] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204016; rev:1;) alert tcp $HOME_NET any -> [185.92.239.13] 9000 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204017; rev:1;) alert tcp $HOME_NET any -> [78.24.223.50] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204018; rev:1;) alert tcp $HOME_NET any -> [95.154.199.98] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204019; rev:1;) alert tcp $HOME_NET any -> [95.213.235.211] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204020; rev:1;) alert tcp $HOME_NET any -> [185.34.52.58] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204021; rev:1;) alert tcp $HOME_NET any -> [92.53.66.115] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204022; rev:1;) alert tcp $HOME_NET any -> [213.183.58.56] 2644 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204023; rev:1;) alert tcp $HOME_NET any -> [91.92.136.107] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204024; rev:1;) alert tcp $HOME_NET any -> [213.208.152.206] 2889 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204025; rev:1;) alert tcp $HOME_NET any -> [27.102.107.50] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204026; rev:1;) alert tcp $HOME_NET any -> [185.164.34.18] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204027; rev:1;) alert tcp $HOME_NET any -> [185.133.42.243] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204028; rev:1;) alert tcp $HOME_NET any -> [94.177.12.239] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204029; rev:1;) alert tcp $HOME_NET any -> [194.87.102.69] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204030; rev:1;) alert tcp $HOME_NET any -> [92.53.78.220] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204031; rev:1;) alert tcp $HOME_NET any -> [85.217.170.217] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204032; rev:1;) alert tcp $HOME_NET any -> [137.74.150.218] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204033; rev:1;) alert tcp $HOME_NET any -> [5.39.47.22] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204034; rev:1;) alert tcp $HOME_NET any -> [185.22.173.238] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204035; rev:1;) alert tcp $HOME_NET any -> [185.171.25.13] 6447 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204036; rev:1;) alert tcp $HOME_NET any -> [95.140.125.23] 2051 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204037; rev:1;) alert tcp $HOME_NET any -> [178.175.138.212] 9572 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204038; rev:1;) alert tcp $HOME_NET any -> [86.105.227.136] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204039; rev:1;) alert tcp $HOME_NET any -> [213.183.40.10] 1988 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204040; rev:1;) alert tcp $HOME_NET any -> [23.254.202.203] 2688 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204041; rev:1;) alert tcp $HOME_NET any -> [91.92.128.45] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204042; rev:1;) alert tcp $HOME_NET any -> [185.175.158.213] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204043; rev:1;) alert tcp $HOME_NET any -> [31.41.46.196] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204044; rev:1;) alert tcp $HOME_NET any -> [185.84.181.87] 1759 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204045; rev:1;) alert tcp $HOME_NET any -> [213.152.161.239] 10752 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204046; rev:1;) alert tcp $HOME_NET any -> [213.183.58.45] 6767 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204047; rev:1;) alert tcp $HOME_NET any -> [185.228.232.68] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204048; rev:1;) alert tcp $HOME_NET any -> [5.133.11.63] 8088 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204049; rev:1;) alert tcp $HOME_NET any -> [194.87.102.252] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204050; rev:1;) alert tcp $HOME_NET any -> [184.75.209.163] 5434 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204051; rev:1;) alert tcp $HOME_NET any -> [212.38.166.228] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204052; rev:1;) alert tcp $HOME_NET any -> [194.87.111.134] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204053; rev:1;) alert tcp $HOME_NET any -> [176.10.124.195] 8877 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204054; rev:1;) alert tcp $HOME_NET any -> [213.183.58.51] 4141 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204055; rev:1;) alert tcp $HOME_NET any -> [104.200.67.112] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204056; rev:1;) alert tcp $HOME_NET any -> [66.146.66.27] 995 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204057; rev:1;) alert tcp $HOME_NET any -> [154.16.63.19] 6045 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204058; rev:1;) alert tcp $HOME_NET any -> [172.75.241.225] 995 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204059; rev:1;) alert tcp $HOME_NET any -> [94.177.12.101] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204060; rev:1;) alert tcp $HOME_NET any -> [95.150.72.177] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204061; rev:1;) alert tcp $HOME_NET any -> [128.199.244.136] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204062; rev:1;) alert tcp $HOME_NET any -> [164.177.159.22] 4143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204063; rev:1;) alert tcp $HOME_NET any -> [194.87.103.71] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204064; rev:1;) alert tcp $HOME_NET any -> [37.230.113.231] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204065; rev:1;) alert tcp $HOME_NET any -> [94.250.254.104] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204066; rev:1;) alert tcp $HOME_NET any -> [208.69.58.252] 4143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204067; rev:1;) alert tcp $HOME_NET any -> [27.102.67.144] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204068; rev:1;) alert tcp $HOME_NET any -> [194.87.238.194] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204069; rev:1;) alert tcp $HOME_NET any -> [195.133.197.115] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204070; rev:1;) alert tcp $HOME_NET any -> [95.213.236.81] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204071; rev:1;) alert tcp $HOME_NET any -> [160.202.163.200] 1987 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204072; rev:1;) alert tcp $HOME_NET any -> [212.7.218.59] 8741 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204073; rev:1;) alert tcp $HOME_NET any -> [176.10.124.196] 1313 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204074; rev:1;) alert tcp $HOME_NET any -> [79.172.242.86] 9555 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204075; rev:1;) alert tcp $HOME_NET any -> [185.34.52.200] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204076; rev:1;) alert tcp $HOME_NET any -> [45.63.77.42] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204077; rev:1;) alert tcp $HOME_NET any -> [83.0.245.234] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204078; rev:1;) alert tcp $HOME_NET any -> [89.37.226.101] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204079; rev:1;) alert tcp $HOME_NET any -> [60.190.27.162] 4143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204080; rev:1;) alert tcp $HOME_NET any -> [91.92.128.144] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204081; rev:1;) alert tcp $HOME_NET any -> [79.172.242.24] 1895 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204082; rev:1;) alert tcp $HOME_NET any -> [46.249.62.244] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204083; rev:1;) alert tcp $HOME_NET any -> [185.164.34.16] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204084; rev:1;) alert tcp $HOME_NET any -> [187.188.162.150] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204085; rev:1;) alert tcp $HOME_NET any -> [162.255.117.34] 800 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204086; rev:1;) alert tcp $HOME_NET any -> [176.10.124.197] 1888 (msg:"SSLBL: Traffic to malicious host (likely JBifrost C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204087; rev:1;) alert tcp $HOME_NET any -> [176.10.124.237] 2556 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204088; rev:1;) alert tcp $HOME_NET any -> [95.213.252.209] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204089; rev:1;) alert tcp $HOME_NET any -> [194.87.145.199] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204090; rev:1;) alert tcp $HOME_NET any -> [109.120.152.175] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204091; rev:1;) alert tcp $HOME_NET any -> [27.102.106.140] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204092; rev:1;) alert tcp $HOME_NET any -> [204.152.219.98] 9988 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204093; rev:1;) alert tcp $HOME_NET any -> [213.183.58.43] 1011 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204094; rev:1;) alert tcp $HOME_NET any -> [174.127.99.129] 1234 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204095; rev:1;) alert tcp $HOME_NET any -> [179.43.147.235] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204096; rev:1;) alert tcp $HOME_NET any -> [146.255.79.173] 6767 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204097; rev:1;) alert tcp $HOME_NET any -> [185.80.130.216] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204098; rev:1;) alert tcp $HOME_NET any -> [107.170.65.224] 4143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204099; rev:1;) alert tcp $HOME_NET any -> [79.106.41.23] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204100; rev:1;) alert tcp $HOME_NET any -> [5.8.88.78] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204101; rev:1;) alert tcp $HOME_NET any -> [185.198.57.11] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204102; rev:1;) alert tcp $HOME_NET any -> [86.105.227.152] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204103; rev:1;) alert tcp $HOME_NET any -> [185.28.63.109] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204104; rev:1;) alert tcp $HOME_NET any -> [92.63.105.132] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204105; rev:1;) alert tcp $HOME_NET any -> [46.28.204.81] 443 (msg:"SSLBL: Traffic to malicious host (likely QuantLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204106; rev:1;) alert tcp $HOME_NET any -> [194.87.102.119] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204107; rev:1;) alert tcp $HOME_NET any -> [95.213.251.5] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204108; rev:1;) alert tcp $HOME_NET any -> [95.213.195.174] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:9052041