################################################################ # abuse.ch SSLBL Snort / Suricata Botnet C2 IP Ruleset # # Aggressive # # Last updated: 2024-04-17 18:50:38 UTC # # # # Terms Of Use: https://sslbl.abuse.ch/blacklist/ # # For questions please contact sslbl [at] abuse.ch # ################################################################ # alert tcp $HOME_NET any -> [65.109.242.73] 443 (msg:"SSLBL: Traffic to malicious host (likely zgRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200000; rev:1;) alert tcp $HOME_NET any -> [45.32.168.59] 4040 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200001; rev:1;) alert tcp $HOME_NET any -> [173.211.46.114] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200002; rev:1;) alert tcp $HOME_NET any -> [157.90.25.39] 5432 (msg:"SSLBL: Traffic to malicious host (likely PureLogStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200003; rev:1;) alert tcp $HOME_NET any -> [49.13.149.204] 9000 (msg:"SSLBL: Traffic to malicious host (likely Vidar C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200004; rev:1;) alert tcp $HOME_NET any -> [65.109.242.131] 443 (msg:"SSLBL: Traffic to malicious host (likely MarsStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200005; rev:1;) alert tcp $HOME_NET any -> [195.201.47.150] 5432 (msg:"SSLBL: Traffic to malicious host (likely Vidar C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200006; rev:1;) alert tcp $HOME_NET any -> [45.11.229.96] 56001 (msg:"SSLBL: Traffic to malicious host (likely PureLogStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200007; rev:1;) alert tcp $HOME_NET any -> [91.207.102.163] 9899 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200008; rev:1;) alert tcp $HOME_NET any -> [51.79.171.174] 1337 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200009; rev:1;) alert tcp $HOME_NET any -> [185.125.50.121] 56001 (msg:"SSLBL: Traffic to malicious host (likely PureLogStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200010; rev:1;) alert tcp $HOME_NET any -> [91.92.241.169] 3434 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200011; rev:1;) alert tcp $HOME_NET any -> [45.88.186.209] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200012; rev:1;) alert tcp $HOME_NET any -> [16.171.25.219] 8099 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200013; rev:1;) alert tcp $HOME_NET any -> [162.230.48.189] 56001 (msg:"SSLBL: Traffic to malicious host (likely PureLogStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200014; rev:1;) alert tcp $HOME_NET any -> [95.217.42.84] 56001 (msg:"SSLBL: Traffic to malicious host (likely PureLogStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200015; rev:1;) alert tcp $HOME_NET any -> [144.217.189.92] 3000 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200016; rev:1;) alert tcp $HOME_NET any -> [94.156.10.119] 443 (msg:"SSLBL: Traffic to malicious host (likely AgentTesla C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200017; rev:1;) alert tcp $HOME_NET any -> [94.156.8.44] 4787 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200018; rev:1;) alert tcp $HOME_NET any -> [217.63.234.90] 1313 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200019; rev:1;) alert tcp $HOME_NET any -> [91.92.243.85] 56001 (msg:"SSLBL: Traffic to malicious host (likely PureLogStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200020; rev:1;) alert tcp $HOME_NET any -> [194.62.248.64] 56001 (msg:"SSLBL: Traffic to malicious host (likely PureLogStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200021; rev:1;) alert tcp $HOME_NET any -> [45.157.69.156] 443 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200022; rev:1;) alert tcp $HOME_NET any -> [172.94.105.163] 2222 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200023; rev:1;) alert tcp $HOME_NET any -> [51.142.10.24] 80 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200024; rev:1;) alert tcp $HOME_NET any -> [45.91.226.131] 1145 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200025; rev:1;) alert tcp $HOME_NET any -> [46.246.84.18] 1128 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200026; rev:1;) alert tcp $HOME_NET any -> [103.211.56.154] 14782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200027; rev:1;) alert tcp $HOME_NET any -> [154.30.255.175] 8887 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200028; rev:1;) alert tcp $HOME_NET any -> [185.196.10.24] 8808 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200029; rev:1;) alert tcp $HOME_NET any -> [154.27.70.229] 56002 (msg:"SSLBL: Traffic to malicious host (likely PureLogStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200030; rev:1;) alert tcp $HOME_NET any -> [175.42.18.7] 4784 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200031; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 41985 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200032; rev:1;) alert tcp $HOME_NET any -> [103.155.214.203] 443 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200033; rev:1;) alert tcp $HOME_NET any -> [91.92.252.228] 56001 (msg:"SSLBL: Traffic to malicious host (likely PureLogStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200034; rev:1;) alert tcp $HOME_NET any -> [94.156.8.83] 4785 (msg:"SSLBL: Traffic to malicious host (likely Rhadamanthys C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200035; rev:1;) alert tcp $HOME_NET any -> [93.123.39.28] 8075 (msg:"SSLBL: Traffic to malicious host (likely PureLogStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200036; rev:1;) alert tcp $HOME_NET any -> [192.151.244.144] 14782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200037; rev:1;) alert tcp $HOME_NET any -> [168.75.105.185] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200038; rev:1;) alert tcp $HOME_NET any -> [49.13.200.170] 7878 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200039; rev:1;) alert tcp $HOME_NET any -> [118.195.235.103] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200040; rev:1;) alert tcp $HOME_NET any -> [147.185.221.18] 56901 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200041; rev:1;) alert tcp $HOME_NET any -> [45.134.83.165] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200042; rev:1;) alert tcp $HOME_NET any -> [20.117.169.244] 80 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200043; rev:1;) alert tcp $HOME_NET any -> [193.26.115.138] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200044; rev:1;) alert tcp $HOME_NET any -> [172.174.236.21] 1337 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200045; rev:1;) alert tcp $HOME_NET any -> [154.27.70.229] 56001 (msg:"SSLBL: Traffic to malicious host (likely PureLogStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200046; rev:1;) alert tcp $HOME_NET any -> [20.26.126.28] 80 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200047; rev:1;) alert tcp $HOME_NET any -> [196.112.147.229] 5566 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200048; rev:1;) alert tcp $HOME_NET any -> [18.134.234.207] 3306 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200049; rev:1;) alert tcp $HOME_NET any -> [104.243.46.129] 6666 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200050; rev:1;) alert tcp $HOME_NET any -> [104.21.44.122] 443 (msg:"SSLBL: Traffic to malicious host (likely Latrodectus C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200051; rev:1;) alert tcp $HOME_NET any -> [172.67.221.168] 443 (msg:"SSLBL: Traffic to malicious host (likely Latrodectus C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200052; rev:1;) alert tcp $HOME_NET any -> [186.169.36.241] 7082 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200053; rev:1;) alert tcp $HOME_NET any -> [45.88.186.16] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200054; rev:1;) alert tcp $HOME_NET any -> [1.14.206.144] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200055; rev:1;) alert tcp $HOME_NET any -> [185.16.39.253] 8888 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200056; rev:1;) alert tcp $HOME_NET any -> [91.92.242.133] 2025 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200057; rev:1;) alert tcp $HOME_NET any -> [20.117.106.245] 80 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200058; rev:1;) alert tcp $HOME_NET any -> [212.193.11.40] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200059; rev:1;) alert tcp $HOME_NET any -> [88.80.145.97] 56001 (msg:"SSLBL: Traffic to malicious host (likely PureLogStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200060; rev:1;) alert tcp $HOME_NET any -> [91.92.251.202] 2024 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200061; rev:1;) alert tcp $HOME_NET any -> [94.156.68.217] 3162 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200062; rev:1;) alert tcp $HOME_NET any -> [91.134.150.145] 56001 (msg:"SSLBL: Traffic to malicious host (likely RedLineStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200063; rev:1;) alert tcp $HOME_NET any -> [110.139.46.105] 36969 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200064; rev:1;) alert tcp $HOME_NET any -> [90.15.154.112] 4789 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200065; rev:1;) alert tcp $HOME_NET any -> [193.233.132.186] 6606 (msg:"SSLBL: Traffic to malicious host (likely VenomRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200066; rev:1;) alert tcp $HOME_NET any -> [45.145.55.81] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200067; rev:1;) alert tcp $HOME_NET any -> [103.13.210.210] 8080 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200068; rev:1;) alert tcp $HOME_NET any -> [194.147.140.138] 3320 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200069; rev:1;) alert tcp $HOME_NET any -> [80.79.7.197] 8888 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200070; rev:1;) alert tcp $HOME_NET any -> [172.94.32.33] 8881 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200071; rev:1;) alert tcp $HOME_NET any -> [139.84.229.159] 1980 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200072; rev:1;) alert tcp $HOME_NET any -> [94.102.155.46] 1337 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200073; rev:1;) alert tcp $HOME_NET any -> [172.203.173.71] 80 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200074; rev:1;) alert tcp $HOME_NET any -> [91.92.254.14] 4412 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200075; rev:1;) alert tcp $HOME_NET any -> [80.85.142.30] 56001 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200076; rev:1;) alert tcp $HOME_NET any -> [146.70.161.85] 4217 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200077; rev:1;) alert tcp $HOME_NET any -> [103.67.162.240] 2256 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200078; rev:1;) alert tcp $HOME_NET any -> [203.20.113.158] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200079; rev:1;) alert tcp $HOME_NET any -> [72.11.158.94] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200080; rev:1;) alert tcp $HOME_NET any -> [64.52.171.220] 56003 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200081; rev:1;) alert tcp $HOME_NET any -> [64.52.171.220] 56001 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200082; rev:1;) alert tcp $HOME_NET any -> [85.217.170.160] 3232 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200083; rev:1;) alert tcp $HOME_NET any -> [209.145.59.89] 443 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200084; rev:1;) alert tcp $HOME_NET any -> [91.92.241.54] 4782 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200085; rev:1;) alert tcp $HOME_NET any -> [91.92.248.67] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200086; rev:1;) alert tcp $HOME_NET any -> [45.144.153.54] 9495 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200087; rev:1;) alert tcp $HOME_NET any -> [147.124.212.75] 2010 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200088; rev:1;) alert tcp $HOME_NET any -> [45.15.156.13] 443 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200089; rev:1;) alert tcp $HOME_NET any -> [98.26.85.5] 6969 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200090; rev:1;) alert tcp $HOME_NET any -> [91.92.254.40] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200091; rev:1;) alert tcp $HOME_NET any -> [43.248.140.95] 3261 (msg:"SSLBL: Traffic to malicious host (likely VenomRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200092; rev:1;) alert tcp $HOME_NET any -> [91.92.240.231] 56001 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200093; rev:1;) alert tcp $HOME_NET any -> [94.249.3.0] 6565 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200094; rev:1;) alert tcp $HOME_NET any -> [77.105.132.124] 2525 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200095; rev:1;) alert tcp $HOME_NET any -> [116.202.0.196] 10220 (msg:"SSLBL: Traffic to malicious host (likely njrat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200096; rev:1;) alert tcp $HOME_NET any -> [87.251.66.248] 443 (msg:"SSLBL: Traffic to malicious host (likely T34loader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200097; rev:1;) alert tcp $HOME_NET any -> [49.12.114.15] 10220 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200098; rev:1;) alert tcp $HOME_NET any -> [65.20.67.1] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200099; rev:1;) alert tcp $HOME_NET any -> [46.246.6.15] 1234 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200100; rev:1;) alert tcp $HOME_NET any -> [45.145.229.151] 19505 (msg:"SSLBL: Traffic to malicious host (likely VenomRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200101; rev:1;) alert tcp $HOME_NET any -> [193.56.253.102] 25565 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200102; rev:1;) alert tcp $HOME_NET any -> [162.14.105.120] 8848 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200103; rev:1;) alert tcp $HOME_NET any -> [91.92.250.243] 4887 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200104; rev:1;) alert tcp $HOME_NET any -> [105.157.214.201] 8844 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200105; rev:1;) alert tcp $HOME_NET any -> [3.121.139.82] 10680 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200106; rev:1;) alert tcp $HOME_NET any -> [3.127.253.86] 10680 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200107; rev:1;) alert tcp $HOME_NET any -> [52.28.112.211] 10680 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200108; rev:1;) alert tcp $HOME_NET any -> [81.70.183.244] 8848 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200109; rev:1;) alert tcp $HOME_NET any -> [27.147.169.101] 3333 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200110; rev:1;) alert tcp $HOME_NET any -> [91.198.66.47] 1881 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200111; rev:1;) alert tcp $HOME_NET any -> [5.75.220.180] 2024 (msg:"SSLBL: Traffic to malicious host (likely Vidar C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200112; rev:1;) alert tcp $HOME_NET any -> [103.13.209.45] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200113; rev:1;) alert tcp $HOME_NET any -> [45.88.186.145] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200114; rev:1;) alert tcp $HOME_NET any -> [27.102.134.120] 8848 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200115; rev:1;) alert tcp $HOME_NET any -> [101.43.228.101] 8848 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200116; rev:1;) alert tcp $HOME_NET any -> [147.189.169.67] 5555 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200117; rev:1;) alert tcp $HOME_NET any -> [15.235.3.1] 2000 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200118; rev:1;) alert tcp $HOME_NET any -> [15.235.3.1] 2001 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200119; rev:1;) alert tcp $HOME_NET any -> [87.121.87.36] 1335 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200120; rev:1;) alert tcp $HOME_NET any -> [206.123.135.125] 2008 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200121; rev:1;) alert tcp $HOME_NET any -> [27.124.3.19] 6606 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200122; rev:1;) alert tcp $HOME_NET any -> [91.92.247.130] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200123; rev:1;) alert tcp $HOME_NET any -> [91.92.246.124] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200124; rev:1;) alert tcp $HOME_NET any -> [139.155.155.148] 8848 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200125; rev:1;) alert tcp $HOME_NET any -> [42.192.132.36] 8848 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200126; rev:1;) alert tcp $HOME_NET any -> [222.211.73.134] 5666 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200127; rev:1;) alert tcp $HOME_NET any -> [5.75.147.113] 3000 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200128; rev:1;) alert tcp $HOME_NET any -> [5.75.147.113] 3000 (msg:"SSLBL: Traffic to malicious host (likely VenomRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200129; rev:1;) alert tcp $HOME_NET any -> [20.199.26.211] 8848 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200130; rev:1;) alert tcp $HOME_NET any -> [8.212.49.198] 9827 (msg:"SSLBL: Traffic to malicious host (likely VenomRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200131; rev:1;) alert tcp $HOME_NET any -> [207.246.82.230] 5290 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200132; rev:1;) alert tcp $HOME_NET any -> [139.84.229.159] 1988 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200133; rev:1;) alert tcp $HOME_NET any -> [77.232.132.25] 4999 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200134; rev:1;) alert tcp $HOME_NET any -> [181.41.200.232] 4000 (msg:"SSLBL: Traffic to malicious host (likely VenomRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200135; rev:1;) alert tcp $HOME_NET any -> [141.255.159.0] 80 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200136; rev:1;) alert tcp $HOME_NET any -> [198.13.49.217] 8848 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200137; rev:1;) alert tcp $HOME_NET any -> [43.248.185.248] 53779 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200138; rev:1;) alert tcp $HOME_NET any -> [113.207.105.241] 17803 (msg:"SSLBL: Traffic to malicious host (likely VenomRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200139; rev:1;) alert tcp $HOME_NET any -> [91.92.248.48] 5552 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200140; rev:1;) alert tcp $HOME_NET any -> [149.13.5.179] 5050 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200141; rev:1;) alert tcp $HOME_NET any -> [38.181.25.204] 5858 (msg:"SSLBL: Traffic to malicious host (likely VenomRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200142; rev:1;) alert tcp $HOME_NET any -> [91.92.247.96] 5531 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200143; rev:1;) alert tcp $HOME_NET any -> [91.92.247.123] 5531 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200144; rev:1;) alert tcp $HOME_NET any -> [41.216.183.22] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200145; rev:1;) alert tcp $HOME_NET any -> [80.253.246.12] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200146; rev:1;) alert tcp $HOME_NET any -> [172.208.93.32] 1337 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200147; rev:1;) alert tcp $HOME_NET any -> [106.160.59.123] 5468 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200148; rev:1;) alert tcp $HOME_NET any -> [88.99.214.187] 3232 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200149; rev:1;) alert tcp $HOME_NET any -> [139.59.72.48] 9443 (msg:"SSLBL: Traffic to malicious host (likely PoshC2 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200150; rev:1;) alert tcp $HOME_NET any -> [193.222.96.19] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200151; rev:1;) alert tcp $HOME_NET any -> [113.207.105.200] 3201 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200152; rev:1;) alert tcp $HOME_NET any -> [142.202.188.201] 9901 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200153; rev:1;) alert tcp $HOME_NET any -> [41.216.183.84] 56001 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200154; rev:1;) alert tcp $HOME_NET any -> [62.210.207.211] 443 (msg:"SSLBL: Traffic to malicious host (likely Havoc C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200155; rev:1;) alert tcp $HOME_NET any -> [113.207.105.195] 15806 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200156; rev:1;) alert tcp $HOME_NET any -> [91.92.252.74] 56002 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200157; rev:1;) alert tcp $HOME_NET any -> [122.144.6.226] 56001 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200158; rev:1;) alert tcp $HOME_NET any -> [31.214.240.57] 3232 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200159; rev:1;) alert tcp $HOME_NET any -> [95.214.25.72] 8080 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200160; rev:1;) alert tcp $HOME_NET any -> [202.146.218.35] 8848 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200161; rev:1;) alert tcp $HOME_NET any -> [91.92.248.239] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200162; rev:1;) alert tcp $HOME_NET any -> [113.207.105.229] 8302 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200163; rev:1;) alert tcp $HOME_NET any -> [103.168.19.82] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200164; rev:1;) alert tcp $HOME_NET any -> [118.89.85.106] 8848 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200165; rev:1;) alert tcp $HOME_NET any -> [113.207.105.224] 16804 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200166; rev:1;) alert tcp $HOME_NET any -> [146.196.80.168] 8848 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200167; rev:1;) alert tcp $HOME_NET any -> [45.145.229.147] 9606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200168; rev:1;) alert tcp $HOME_NET any -> [94.242.53.198] 443 (msg:"SSLBL: Traffic to malicious host (likely Havoc C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200169; rev:1;) alert tcp $HOME_NET any -> [202.63.172.63] 8848 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200170; rev:1;) alert tcp $HOME_NET any -> [45.145.229.151] 9603 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200171; rev:1;) alert tcp $HOME_NET any -> [116.103.214.233] 1704 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200172; rev:1;) alert tcp $HOME_NET any -> [3.68.56.232] 10644 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200173; rev:1;) alert tcp $HOME_NET any -> [3.141.177.1] 11465 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200174; rev:1;) alert tcp $HOME_NET any -> [213.65.233.25] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200175; rev:1;) alert tcp $HOME_NET any -> [172.171.254.153] 4748 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200176; rev:1;) alert tcp $HOME_NET any -> [181.90.42.189] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200177; rev:1;) alert tcp $HOME_NET any -> [87.248.157.179] 1604 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200178; rev:1;) alert tcp $HOME_NET any -> [45.145.225.162] 56001 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200179; rev:1;) alert tcp $HOME_NET any -> [95.214.27.253] 1357 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200180; rev:1;) alert tcp $HOME_NET any -> [91.207.57.115] 45529 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200181; rev:1;) alert tcp $HOME_NET any -> [52.186.179.225] 1337 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200182; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 59460 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200183; rev:1;) alert tcp $HOME_NET any -> [179.13.0.48] 4422 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200184; rev:1;) alert tcp $HOME_NET any -> [213.139.207.234] 56001 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200185; rev:1;) alert tcp $HOME_NET any -> [20.199.45.15] 8848 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200186; rev:1;) alert tcp $HOME_NET any -> [37.1.222.7] 8848 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200187; rev:1;) alert tcp $HOME_NET any -> [40.67.150.126] 2000 (msg:"SSLBL: Traffic to malicious host (likely VenomRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200188; rev:1;) alert tcp $HOME_NET any -> [185.221.67.19] 17722 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200189; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 63447 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200190; rev:1;) alert tcp $HOME_NET any -> [95.214.27.6] 4545 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200191; rev:1;) alert tcp $HOME_NET any -> [20.211.121.138] 4449 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200192; rev:1;) alert tcp $HOME_NET any -> [2.58.56.68] 4334 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200193; rev:1;) alert tcp $HOME_NET any -> [134.255.254.225] 5058 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200194; rev:1;) alert tcp $HOME_NET any -> [94.156.253.168] 1990 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200195; rev:1;) alert tcp $HOME_NET any -> [147.189.169.231] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200196; rev:1;) alert tcp $HOME_NET any -> [95.214.25.90] 32400 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200197; rev:1;) alert tcp $HOME_NET any -> [77.97.164.31] 6969 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200198; rev:1;) alert tcp $HOME_NET any -> [163.5.215.216] 4788 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200199; rev:1;) alert tcp $HOME_NET any -> [178.250.189.225] 9901 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200200; rev:1;) alert tcp $HOME_NET any -> [138.201.18.225] 4449 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200201; rev:1;) alert tcp $HOME_NET any -> [103.82.38.49] 4449 (msg:"SSLBL: Traffic to malicious host (likely VenomRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200202; rev:1;) alert tcp $HOME_NET any -> [185.17.0.246] 1419 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200203; rev:1;) alert tcp $HOME_NET any -> [27.124.4.200] 6606 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200204; rev:1;) alert tcp $HOME_NET any -> [185.81.157.218] 9090 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200205; rev:1;) alert tcp $HOME_NET any -> [18.118.199.163] 80 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200206; rev:1;) alert tcp $HOME_NET any -> [154.221.25.208] 8849 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200207; rev:1;) alert tcp $HOME_NET any -> [45.66.230.22] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200208; rev:1;) alert tcp $HOME_NET any -> [79.134.225.113] 9346 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200209; rev:1;) alert tcp $HOME_NET any -> [5.249.163.45] 5555 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200210; rev:1;) alert tcp $HOME_NET any -> [209.25.142.181] 30254 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200211; rev:1;) alert tcp $HOME_NET any -> [14.225.254.32] 9090 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200212; rev:1;) alert tcp $HOME_NET any -> [51.103.217.70] 8585 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200213; rev:1;) alert tcp $HOME_NET any -> [37.221.92.28] 8488 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200214; rev:1;) alert tcp $HOME_NET any -> [90.62.249.133] 2585 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200215; rev:1;) alert tcp $HOME_NET any -> [77.91.97.56] 4543 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200216; rev:1;) alert tcp $HOME_NET any -> [185.17.0.246] 4449 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200217; rev:1;) alert tcp $HOME_NET any -> [46.35.26.183] 24670 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200218; rev:1;) alert tcp $HOME_NET any -> [42.51.40.184] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200219; rev:1;) alert tcp $HOME_NET any -> [137.220.48.214] 24535 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200220; rev:1;) alert tcp $HOME_NET any -> [80.76.51.237] 2023 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200221; rev:1;) alert tcp $HOME_NET any -> [3.121.139.82] 19801 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200222; rev:1;) alert tcp $HOME_NET any -> [95.214.27.6] 2442 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200223; rev:1;) alert tcp $HOME_NET any -> [4.151.131.10] 1011 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200224; rev:1;) alert tcp $HOME_NET any -> [72.18.130.237] 7321 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200225; rev:1;) alert tcp $HOME_NET any -> [194.180.48.53] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200226; rev:1;) alert tcp $HOME_NET any -> [179.13.2.154] 7000 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200227; rev:1;) alert tcp $HOME_NET any -> [95.214.25.236] 4404 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200228; rev:1;) alert tcp $HOME_NET any -> [193.203.238.54] 6666 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200229; rev:1;) alert tcp $HOME_NET any -> [179.43.154.184] 11371 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200230; rev:1;) alert tcp $HOME_NET any -> [185.183.33.129] 4449 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200231; rev:1;) alert tcp $HOME_NET any -> [172.94.40.145] 8004 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200232; rev:1;) alert tcp $HOME_NET any -> [89.23.101.212] 3232 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200233; rev:1;) alert tcp $HOME_NET any -> [167.86.88.89] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200234; rev:1;) alert tcp $HOME_NET any -> [199.127.60.151] 8889 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200235; rev:1;) alert tcp $HOME_NET any -> [103.149.201.212] 8910 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200236; rev:1;) alert tcp $HOME_NET any -> [65.108.24.87] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200237; rev:1;) alert tcp $HOME_NET any -> [163.5.215.237] 4449 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200238; rev:1;) alert tcp $HOME_NET any -> [185.212.47.90] 8843 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200239; rev:1;) alert tcp $HOME_NET any -> [38.6.189.150] 8848 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200240; rev:1;) alert tcp $HOME_NET any -> [80.66.79.27] 4404 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200241; rev:1;) alert tcp $HOME_NET any -> [4.212.242.253] 8848 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200242; rev:1;) alert tcp $HOME_NET any -> [193.43.104.22] 3232 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200243; rev:1;) alert tcp $HOME_NET any -> [8.210.13.235] 17099 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200244; rev:1;) alert tcp $HOME_NET any -> [58.87.71.58] 14199 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200245; rev:1;) alert tcp $HOME_NET any -> [139.180.143.50] 8848 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200246; rev:1;) alert tcp $HOME_NET any -> [95.173.247.110] 8810 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200247; rev:1;) alert tcp $HOME_NET any -> [213.3.43.23] 58640 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200248; rev:1;) alert tcp $HOME_NET any -> [156.236.72.121] 443 (msg:"SSLBL: Traffic to malicious host (likely Fabookie C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200249; rev:1;) alert tcp $HOME_NET any -> [45.141.215.12] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200250; rev:1;) alert tcp $HOME_NET any -> [193.142.146.212] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200251; rev:1;) alert tcp $HOME_NET any -> [83.143.112.45] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200252; rev:1;) alert tcp $HOME_NET any -> [154.12.90.31] 2023 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200253; rev:1;) alert tcp $HOME_NET any -> [154.91.227.35] 8848 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200254; rev:1;) alert tcp $HOME_NET any -> [51.210.170.204] 5138 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200255; rev:1;) alert tcp $HOME_NET any -> [107.182.228.197] 2124 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200256; rev:1;) alert tcp $HOME_NET any -> [141.95.11.145] 81 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200257; rev:1;) alert tcp $HOME_NET any -> [154.12.90.49] 2023 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200258; rev:1;) alert tcp $HOME_NET any -> [164.155.255.168] 8848 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200259; rev:1;) alert tcp $HOME_NET any -> [18.197.239.5] 18516 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200260; rev:1;) alert tcp $HOME_NET any -> [103.144.247.227] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200261; rev:1;) alert tcp $HOME_NET any -> [198.44.168.227] 2023 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200262; rev:1;) alert tcp $HOME_NET any -> [185.106.94.122] 4449 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200263; rev:1;) alert tcp $HOME_NET any -> [194.67.206.185] 666 (msg:"SSLBL: Traffic to malicious host (likely EmpireRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200264; rev:1;) alert tcp $HOME_NET any -> [45.141.215.252] 53631 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200265; rev:1;) alert tcp $HOME_NET any -> [37.139.129.231] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200266; rev:1;) alert tcp $HOME_NET any -> [77.232.132.25] 5001 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200267; rev:1;) alert tcp $HOME_NET any -> [86.252.133.190] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200268; rev:1;) alert tcp $HOME_NET any -> [37.139.129.145] 5512 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200269; rev:1;) alert tcp $HOME_NET any -> [31.210.55.202] 81 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200270; rev:1;) alert tcp $HOME_NET any -> [91.103.252.25] 4681 (msg:"SSLBL: Traffic to malicious host (likely Rhadamanthys C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200271; rev:1;) alert tcp $HOME_NET any -> [185.225.73.49] 4851 (msg:"SSLBL: Traffic to malicious host (likely Rhadamanthys C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200272; rev:1;) alert tcp $HOME_NET any -> [193.163.88.106] 38440 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200273; rev:1;) alert tcp $HOME_NET any -> [185.180.230.132] 1488 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200274; rev:1;) alert tcp $HOME_NET any -> [20.187.118.150] 8888 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200275; rev:1;) alert tcp $HOME_NET any -> [147.185.221.16] 10735 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200276; rev:1;) alert tcp $HOME_NET any -> [61.136.166.128] 8848 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200277; rev:1;) alert tcp $HOME_NET any -> [213.238.177.40] 8848 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200278; rev:1;) alert tcp $HOME_NET any -> [176.111.174.101] 443 (msg:"SSLBL: Traffic to malicious host (likely NetSupport C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200279; rev:1;) alert tcp $HOME_NET any -> [161.35.128.227] 443 (msg:"SSLBL: Traffic to malicious host (likely Smoke Loader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200280; rev:1;) alert tcp $HOME_NET any -> [165.227.8.65] 443 (msg:"SSLBL: Traffic to malicious host (likely Smoke Loader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200281; rev:1;) alert tcp $HOME_NET any -> [167.94.81.75] 54321 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200282; rev:1;) alert tcp $HOME_NET any -> [92.178.8.159] 8848 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200283; rev:1;) alert tcp $HOME_NET any -> [171.22.30.13] 1276 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200284; rev:1;) alert tcp $HOME_NET any -> [209.25.141.181] 56493 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200285; rev:1;) alert tcp $HOME_NET any -> [152.89.247.113] 2 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200286; rev:1;) alert tcp $HOME_NET any -> [3.125.223.134] 15861 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200287; rev:1;) alert tcp $HOME_NET any -> [20.199.73.159] 1024 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200288; rev:1;) alert tcp $HOME_NET any -> [147.50.253.108] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200289; rev:1;) alert tcp $HOME_NET any -> [95.169.196.222] 1609 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200290; rev:1;) alert tcp $HOME_NET any -> [52.28.112.211] 19945 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200291; rev:1;) alert tcp $HOME_NET any -> [185.17.3.72] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200292; rev:1;) alert tcp $HOME_NET any -> [24.199.83.51] 443 (msg:"SSLBL: Traffic to malicious host (likely Meterpreter C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200293; rev:1;) alert tcp $HOME_NET any -> [103.170.118.35] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200294; rev:1;) alert tcp $HOME_NET any -> [172.245.23.178] 7777 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200295; rev:1;) alert tcp $HOME_NET any -> [158.247.227.231] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200296; rev:1;) alert tcp $HOME_NET any -> [193.233.133.58] 5631 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200297; rev:1;) alert tcp $HOME_NET any -> [193.109.85.128] 4449 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200298; rev:1;) alert tcp $HOME_NET any -> [209.25.140.181] 45937 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200299; rev:1;) alert tcp $HOME_NET any -> [172.245.23.178] 4775 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200300; rev:1;) alert tcp $HOME_NET any -> [209.141.35.5] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200301; rev:1;) alert tcp $HOME_NET any -> [111.90.150.186] 8977 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200302; rev:1;) alert tcp $HOME_NET any -> [193.149.185.150] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200303; rev:1;) alert tcp $HOME_NET any -> [104.243.47.45] 5230 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200304; rev:1;) alert tcp $HOME_NET any -> [20.216.165.135] 1024 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200305; rev:1;) alert tcp $HOME_NET any -> [193.42.40.39] 65503 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200306; rev:1;) alert tcp $HOME_NET any -> [173.44.50.86] 7788 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200307; rev:1;) alert tcp $HOME_NET any -> [3.88.20.74] 1111 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200308; rev:1;) alert tcp $HOME_NET any -> [84.54.50.31] 8877 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200309; rev:1;) alert tcp $HOME_NET any -> [185.246.220.65] 888 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200310; rev:1;) alert tcp $HOME_NET any -> [34.92.66.146] 8848 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200311; rev:1;) alert tcp $HOME_NET any -> [216.172.99.151] 8080 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200312; rev:1;) alert tcp $HOME_NET any -> [91.134.150.158] 4449 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200313; rev:1;) alert tcp $HOME_NET any -> [124.248.66.67] 22391 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200314; rev:1;) alert tcp $HOME_NET any -> [179.13.3.110] 7575 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200315; rev:1;) alert tcp $HOME_NET any -> [5.230.54.132] 4449 (msg:"SSLBL: Traffic to malicious host (likely VenomRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200316; rev:1;) alert tcp $HOME_NET any -> [194.9.6.69] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200317; rev:1;) alert tcp $HOME_NET any -> [212.193.30.230] 56609 (msg:"SSLBL: Traffic to malicious host (likely zgRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200318; rev:1;) alert tcp $HOME_NET any -> [47.87.136.103] 400 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200319; rev:1;) alert tcp $HOME_NET any -> [65.2.185.165] 4449 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200320; rev:1;) alert tcp $HOME_NET any -> [198.12.123.17] 5004 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200321; rev:1;) alert tcp $HOME_NET any -> [185.252.179.71] 8075 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200322; rev:1;) alert tcp $HOME_NET any -> [20.150.193.28] 4449 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200323; rev:1;) alert tcp $HOME_NET any -> [109.195.94.247] 8096 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200324; rev:1;) alert tcp $HOME_NET any -> [18.136.148.247] 13000 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200325; rev:1;) alert tcp $HOME_NET any -> [5.161.192.28] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200326; rev:1;) alert tcp $HOME_NET any -> [103.169.34.151] 2245 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200327; rev:1;) alert tcp $HOME_NET any -> [74.119.194.154] 2060 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200328; rev:1;) alert tcp $HOME_NET any -> [194.59.31.39] 2025 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200329; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 30878 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200330; rev:1;) alert tcp $HOME_NET any -> [45.81.39.62] 7011 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200331; rev:1;) alert tcp $HOME_NET any -> [91.213.50.52] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200332; rev:1;) alert tcp $HOME_NET any -> [95.214.27.44] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200333; rev:1;) alert tcp $HOME_NET any -> [79.110.49.40] 80 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200334; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 47169 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200335; rev:1;) alert tcp $HOME_NET any -> [147.135.165.27] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200336; rev:1;) alert tcp $HOME_NET any -> [74.234.104.236] 3131 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200337; rev:1;) alert tcp $HOME_NET any -> [45.80.29.139] 1337 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200338; rev:1;) alert tcp $HOME_NET any -> [43.138.166.76] 6593 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200339; rev:1;) alert tcp $HOME_NET any -> [144.202.52.245] 4449 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200340; rev:1;) alert tcp $HOME_NET any -> [195.178.120.6] 1337 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200341; rev:1;) alert tcp $HOME_NET any -> [43.226.49.147] 8080 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200342; rev:1;) alert tcp $HOME_NET any -> [185.204.1.182] 54823 (msg:"SSLBL: Traffic to malicious host (likely VenomRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200343; rev:1;) alert tcp $HOME_NET any -> [154.29.75.191] 2027 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200344; rev:1;) alert tcp $HOME_NET any -> [64.235.61.43] 8848 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200345; rev:1;) alert tcp $HOME_NET any -> [146.56.36.222] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200346; rev:1;) alert tcp $HOME_NET any -> [185.161.248.49] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200347; rev:1;) alert tcp $HOME_NET any -> [80.66.79.137] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200348; rev:1;) alert tcp $HOME_NET any -> [91.215.85.153] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200349; rev:1;) alert tcp $HOME_NET any -> [45.125.67.100] 443 (msg:"SSLBL: Traffic to malicious host (likely Havoc C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200350; rev:1;) alert tcp $HOME_NET any -> [128.59.46.185] 50272 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200351; rev:1;) alert tcp $HOME_NET any -> [208.67.107.168] 9055 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200352; rev:1;) alert tcp $HOME_NET any -> [139.99.114.150] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200353; rev:1;) alert tcp $HOME_NET any -> [124.248.66.67] 23524 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200354; rev:1;) alert tcp $HOME_NET any -> [193.32.127.144] 57147 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200355; rev:1;) alert tcp $HOME_NET any -> [95.214.27.146] 47600 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200356; rev:1;) alert tcp $HOME_NET any -> [61.83.40.108] 3072 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200357; rev:1;) alert tcp $HOME_NET any -> [172.81.184.73] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200358; rev:1;) alert tcp $HOME_NET any -> [80.66.79.104] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200359; rev:1;) alert tcp $HOME_NET any -> [194.165.16.94] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200360; rev:1;) alert tcp $HOME_NET any -> [141.98.6.3] 4973 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200361; rev:1;) alert tcp $HOME_NET any -> [23.94.36.185] 56609 (msg:"SSLBL: Traffic to malicious host (likely zgRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200362; rev:1;) alert tcp $HOME_NET any -> [87.121.221.16] 4449 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200363; rev:1;) alert tcp $HOME_NET any -> [38.242.128.85] 5559 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200364; rev:1;) alert tcp $HOME_NET any -> [217.195.197.82] 81 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200365; rev:1;) alert tcp $HOME_NET any -> [45.204.126.250] 8848 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200366; rev:1;) alert tcp $HOME_NET any -> [45.77.34.211] 9999 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200367; rev:1;) alert tcp $HOME_NET any -> [45.66.230.222] 6547 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200368; rev:1;) alert tcp $HOME_NET any -> [141.98.102.235] 16296 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200369; rev:1;) alert tcp $HOME_NET any -> [84.54.50.51] 8848 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200370; rev:1;) alert tcp $HOME_NET any -> [35.157.111.131] 15748 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200371; rev:1;) alert tcp $HOME_NET any -> [209.90.234.22] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200372; rev:1;) alert tcp $HOME_NET any -> [194.87.151.125] 7399 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200373; rev:1;) alert tcp $HOME_NET any -> [193.169.255.152] 6969 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200374; rev:1;) alert tcp $HOME_NET any -> [45.137.22.182] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200375; rev:1;) alert tcp $HOME_NET any -> [15.165.236.45] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200376; rev:1;) alert tcp $HOME_NET any -> [45.80.158.114] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200377; rev:1;) alert tcp $HOME_NET any -> [194.87.151.134] 7878 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200378; rev:1;) alert tcp $HOME_NET any -> [31.41.244.251] 7570 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200379; rev:1;) alert tcp $HOME_NET any -> [95.214.27.226] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200380; rev:1;) alert tcp $HOME_NET any -> [45.141.27.208] 4780 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200381; rev:1;) alert tcp $HOME_NET any -> [87.121.221.179] 4920 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200382; rev:1;) alert tcp $HOME_NET any -> [37.120.210.219] 48408 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200383; rev:1;) alert tcp $HOME_NET any -> [75.127.254.214] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200384; rev:1;) alert tcp $HOME_NET any -> [120.78.151.171] 55233 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200385; rev:1;) alert tcp $HOME_NET any -> [15.228.89.234] 7000 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200386; rev:1;) alert tcp $HOME_NET any -> [125.177.149.143] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200387; rev:1;) alert tcp $HOME_NET any -> [104.243.37.167] 4449 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200388; rev:1;) alert tcp $HOME_NET any -> [194.55.224.44] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200389; rev:1;) alert tcp $HOME_NET any -> [51.161.107.21] 666 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200390; rev:1;) alert tcp $HOME_NET any -> [45.81.243.217] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200391; rev:1;) alert tcp $HOME_NET any -> [147.185.221.181] 2044 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200392; rev:1;) alert tcp $HOME_NET any -> [61.136.162.141] 8899 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200393; rev:1;) alert tcp $HOME_NET any -> [64.188.16.136] 39583 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200394; rev:1;) alert tcp $HOME_NET any -> [104.219.237.59] 4782 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200395; rev:1;) alert tcp $HOME_NET any -> [193.200.134.9] 9969 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200396; rev:1;) alert tcp $HOME_NET any -> [147.189.170.192] 6666 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200397; rev:1;) alert tcp $HOME_NET any -> [162.211.180.79] 8848 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200398; rev:1;) alert tcp $HOME_NET any -> [94.198.40.27] 5030 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200399; rev:1;) alert tcp $HOME_NET any -> [85.31.45.38] 8808 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200400; rev:1;) alert tcp $HOME_NET any -> [8.217.67.228] 80 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200401; rev:1;) alert tcp $HOME_NET any -> [114.132.232.148] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200402; rev:1;) alert tcp $HOME_NET any -> [212.252.198.21] 1337 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200403; rev:1;) alert tcp $HOME_NET any -> [45.136.4.101] 888 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200404; rev:1;) alert tcp $HOME_NET any -> [58.221.72.142] 8848 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200405; rev:1;) alert tcp $HOME_NET any -> [193.42.32.159] 8848 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200406; rev:1;) alert tcp $HOME_NET any -> [75.136.204.139] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200407; rev:1;) alert tcp $HOME_NET any -> [93.177.135.66] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200408; rev:1;) alert tcp $HOME_NET any -> [124.120.53.223] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200409; rev:1;) alert tcp $HOME_NET any -> [43.137.15.104] 8848 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200410; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 28132 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200411; rev:1;) alert tcp $HOME_NET any -> [185.246.220.251] 5555 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200412; rev:1;) alert tcp $HOME_NET any -> [65.0.50.125] 22247 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200413; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 48452 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200414; rev:1;) alert tcp $HOME_NET any -> [209.25.141.211] 33901 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200415; rev:1;) alert tcp $HOME_NET any -> [209.25.141.211] 33901 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200416; rev:1;) alert tcp $HOME_NET any -> [91.213.50.8] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi malware distribution traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200417; rev:1;) alert tcp $HOME_NET any -> [45.12.253.77] 8889 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200418; rev:1;) alert tcp $HOME_NET any -> [3.69.115.178] 15409 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200419; rev:1;) alert tcp $HOME_NET any -> [31.42.188.159] 4000 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200420; rev:1;) alert tcp $HOME_NET any -> [181.141.1.67] 4243 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200421; rev:1;) alert tcp $HOME_NET any -> [144.126.133.48] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200422; rev:1;) alert tcp $HOME_NET any -> [62.210.11.126] 9024 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200423; rev:1;) alert tcp $HOME_NET any -> [43.139.124.22] 6666 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200424; rev:1;) alert tcp $HOME_NET any -> [5.188.86.237] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200425; rev:1;) alert tcp $HOME_NET any -> [139.180.143.50] 11334 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200426; rev:1;) alert tcp $HOME_NET any -> [146.70.128.174] 55178 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200427; rev:1;) alert tcp $HOME_NET any -> [160.178.206.45] 65 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200428; rev:1;) alert tcp $HOME_NET any -> [154.53.51.201] 9901 (msg:"SSLBL: Traffic to malicious host (likely zgRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200429; rev:1;) alert tcp $HOME_NET any -> [45.155.158.187] 1337 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200430; rev:1;) alert tcp $HOME_NET any -> [8.130.34.250] 8848 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200431; rev:1;) alert tcp $HOME_NET any -> [23.227.193.141] 443 (msg:"SSLBL: Traffic to malicious host (likely Nemesis C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200432; rev:1;) alert tcp $HOME_NET any -> [149.202.88.107] 8080 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200433; rev:1;) alert tcp $HOME_NET any -> [216.250.106.236] 8881 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200434; rev:1;) alert tcp $HOME_NET any -> [40.113.131.31] 6666 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200435; rev:1;) alert tcp $HOME_NET any -> [154.39.252.24] 8848 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200436; rev:1;) alert tcp $HOME_NET any -> [141.95.84.40] 4040 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200437; rev:1;) alert tcp $HOME_NET any -> [38.47.205.151] 8848 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200438; rev:1;) alert tcp $HOME_NET any -> [157.90.51.195] 6980 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200439; rev:1;) alert tcp $HOME_NET any -> [103.117.72.103] 8848 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200440; rev:1;) alert tcp $HOME_NET any -> [147.185.221.180] 64654 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200441; rev:1;) alert tcp $HOME_NET any -> [104.238.147.18] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200442; rev:1;) alert tcp $HOME_NET any -> [172.104.148.228] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200443; rev:1;) alert tcp $HOME_NET any -> [154.23.133.89] 8848 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200444; rev:1;) alert tcp $HOME_NET any -> [45.9.16.242] 5200 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200445; rev:1;) alert tcp $HOME_NET any -> [47.87.239.56] 312 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200446; rev:1;) alert tcp $HOME_NET any -> [185.246.220.122] 1488 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200447; rev:1;) alert tcp $HOME_NET any -> [209.25.142.180] 10569 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200448; rev:1;) alert tcp $HOME_NET any -> [172.94.111.4] 2008 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200449; rev:1;) alert tcp $HOME_NET any -> [206.123.132.68] 2020 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200450; rev:1;) alert tcp $HOME_NET any -> [45.81.39.83] 3456 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200451; rev:1;) alert tcp $HOME_NET any -> [194.59.218.147] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200452; rev:1;) alert tcp $HOME_NET any -> [103.213.111.207] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200453; rev:1;) alert tcp $HOME_NET any -> [171.247.70.48] 88 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200454; rev:1;) alert tcp $HOME_NET any -> [185.81.157.28] 2030 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200455; rev:1;) alert tcp $HOME_NET any -> [95.168.191.181] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200456; rev:1;) alert tcp $HOME_NET any -> [154.91.228.23] 8848 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200457; rev:1;) alert tcp $HOME_NET any -> [84.21.172.55] 1339 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200458; rev:1;) alert tcp $HOME_NET any -> [194.5.98.6] 20 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200459; rev:1;) alert tcp $HOME_NET any -> [89.38.131.104] 4449 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200460; rev:1;) alert tcp $HOME_NET any -> [91.134.187.20] 4449 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200461; rev:1;) alert tcp $HOME_NET any -> [20.77.74.136] 1337 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200462; rev:1;) alert tcp $HOME_NET any -> [209.25.141.180] 10569 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200463; rev:1;) alert tcp $HOME_NET any -> [209.25.141.180] 10569 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200464; rev:1;) alert tcp $HOME_NET any -> [209.25.140.180] 10569 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200465; rev:1;) alert tcp $HOME_NET any -> [108.143.240.80] 313 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200466; rev:1;) alert tcp $HOME_NET any -> [109.206.240.5] 5992 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200467; rev:1;) alert tcp $HOME_NET any -> [43.154.97.109] 8848 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200468; rev:1;) alert tcp $HOME_NET any -> [23.224.131.154] 8848 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200469; rev:1;) alert tcp $HOME_NET any -> [23.254.253.134] 443 (msg:"SSLBL: Traffic to malicious host (likely DanaBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200470; rev:1;) alert tcp $HOME_NET any -> [80.66.88.145] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200471; rev:1;) alert tcp $HOME_NET any -> [89.23.107.39] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200472; rev:1;) alert tcp $HOME_NET any -> [85.239.52.234] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200473; rev:1;) alert tcp $HOME_NET any -> [79.110.62.147] 2025 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200474; rev:1;) alert tcp $HOME_NET any -> [193.200.134.9] 8848 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200475; rev:1;) alert tcp $HOME_NET any -> [68.235.43.14] 58811 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200476; rev:1;) alert tcp $HOME_NET any -> [3.86.249.47] 1604 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200477; rev:1;) alert tcp $HOME_NET any -> [62.150.88.68] 9514 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200478; rev:1;) alert tcp $HOME_NET any -> [179.43.142.197] 5789 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200479; rev:1;) alert tcp $HOME_NET any -> [185.246.221.7] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200480; rev:1;) alert tcp $HOME_NET any -> [37.120.210.219] 9771 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200481; rev:1;) alert tcp $HOME_NET any -> [193.138.195.211] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200482; rev:1;) alert tcp $HOME_NET any -> [209.127.19.155] 5200 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200483; rev:1;) alert tcp $HOME_NET any -> [43.249.30.55] 8848 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200484; rev:1;) alert tcp $HOME_NET any -> [185.33.234.172] 3131 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200485; rev:1;) alert tcp $HOME_NET any -> [121.62.17.105] 8848 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200486; rev:1;) alert tcp $HOME_NET any -> [206.238.115.140] 8848 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200487; rev:1;) alert tcp $HOME_NET any -> [104.194.10.209] 2222 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200488; rev:1;) alert tcp $HOME_NET any -> [135.181.204.51] 8848 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200489; rev:1;) alert tcp $HOME_NET any -> [66.63.167.121] 57913 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200490; rev:1;) alert tcp $HOME_NET any -> [20.226.0.95] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200491; rev:1;) alert tcp $HOME_NET any -> [91.209.226.129] 4477 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200492; rev:1;) alert tcp $HOME_NET any -> [46.196.26.192] 4784 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200493; rev:1;) alert tcp $HOME_NET any -> [167.71.56.116] 22993 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200494; rev:1;) alert tcp $HOME_NET any -> [20.203.175.5] 8848 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200495; rev:1;) alert tcp $HOME_NET any -> [139.155.57.162] 8443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200496; rev:1;) alert tcp $HOME_NET any -> [23.251.17.65] 4782 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200497; rev:1;) alert tcp $HOME_NET any -> [185.250.241.219] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200498; rev:1;) alert tcp $HOME_NET any -> [20.223.155.39] 8808 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200499; rev:1;) alert tcp $HOME_NET any -> [20.197.196.201] 7749 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200500; rev:1;) alert tcp $HOME_NET any -> [147.185.221.212] 15420 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200501; rev:1;) alert tcp $HOME_NET any -> [135.148.113.4] 6789 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200502; rev:1;) alert tcp $HOME_NET any -> [192.188.88.248] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200503; rev:1;) alert tcp $HOME_NET any -> [157.254.194.6] 600 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200504; rev:1;) alert tcp $HOME_NET any -> [89.190.226.232] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200505; rev:1;) alert tcp $HOME_NET any -> [185.255.95.191] 99 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200506; rev:1;) alert tcp $HOME_NET any -> [38.45.124.106] 8848 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200507; rev:1;) alert tcp $HOME_NET any -> [23.94.159.165] 17251 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200508; rev:1;) alert tcp $HOME_NET any -> [45.12.253.31] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200509; rev:1;) alert tcp $HOME_NET any -> [185.213.155.163] 57808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200510; rev:1;) alert tcp $HOME_NET any -> [109.107.174.128] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200511; rev:1;) alert tcp $HOME_NET any -> [192.3.193.136] 2023 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200512; rev:1;) alert tcp $HOME_NET any -> [194.26.192.221] 2020 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200513; rev:1;) alert tcp $HOME_NET any -> [179.14.168.33] 3003 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200514; rev:1;) alert tcp $HOME_NET any -> [103.146.23.112] 1571 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200515; rev:1;) alert tcp $HOME_NET any -> [94.130.170.166] 4449 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200516; rev:1;) alert tcp $HOME_NET any -> [38.242.228.203] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200517; rev:1;) alert tcp $HOME_NET any -> [185.243.181.86] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200518; rev:1;) alert tcp $HOME_NET any -> [185.246.220.63] 3395 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200519; rev:1;) alert tcp $HOME_NET any -> [159.65.235.56] 6666 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200520; rev:1;) alert tcp $HOME_NET any -> [95.216.102.32] 4782 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200521; rev:1;) alert tcp $HOME_NET any -> [20.4.6.16] 43521 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200522; rev:1;) alert tcp $HOME_NET any -> [77.83.242.206] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200523; rev:1;) alert tcp $HOME_NET any -> [154.12.234.207] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200524; rev:1;) alert tcp $HOME_NET any -> [3.22.53.161] 15845 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200525; rev:1;) alert tcp $HOME_NET any -> [179.43.187.19] 2326 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200526; rev:1;) alert tcp $HOME_NET any -> [116.205.161.193] 443 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200527; rev:1;) alert tcp $HOME_NET any -> [124.221.236.175] 8848 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200528; rev:1;) alert tcp $HOME_NET any -> [80.240.18.7] 3131 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200529; rev:1;) alert tcp $HOME_NET any -> [209.126.2.34] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200530; rev:1;) alert tcp $HOME_NET any -> [209.126.2.34] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200531; rev:1;) alert tcp $HOME_NET any -> [43.138.160.55] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200532; rev:1;) alert tcp $HOME_NET any -> [45.133.174.122] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200533; rev:1;) alert tcp $HOME_NET any -> [45.133.174.122] 7707 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200534; rev:1;) alert tcp $HOME_NET any -> [45.143.8.181] 13389 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200535; rev:1;) alert tcp $HOME_NET any -> [185.176.220.29] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200536; rev:1;) alert tcp $HOME_NET any -> [95.216.102.32] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200537; rev:1;) alert tcp $HOME_NET any -> [103.173.226.172] 8848 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200538; rev:1;) alert tcp $HOME_NET any -> [185.176.220.145] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200539; rev:1;) alert tcp $HOME_NET any -> [190.2.147.39] 8848 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200540; rev:1;) alert tcp $HOME_NET any -> [193.111.248.239] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200541; rev:1;) alert tcp $HOME_NET any -> [5.161.56.132] 2347 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200542; rev:1;) alert tcp $HOME_NET any -> [45.138.16.40] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200543; rev:1;) alert tcp $HOME_NET any -> [45.138.16.148] 5050 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200544; rev:1;) alert tcp $HOME_NET any -> [20.25.94.83] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200545; rev:1;) alert tcp $HOME_NET any -> [20.125.118.35] 2244 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200546; rev:1;) alert tcp $HOME_NET any -> [45.139.105.207] 4782 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200547; rev:1;) alert tcp $HOME_NET any -> [154.12.250.38] 4782 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200548; rev:1;) alert tcp $HOME_NET any -> [85.105.88.221] 2531 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200549; rev:1;) alert tcp $HOME_NET any -> [185.241.208.233] 5430 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200550; rev:1;) alert tcp $HOME_NET any -> [23.254.224.102] 443 (msg:"SSLBL: Traffic to malicious host (likely DanaBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200551; rev:1;) alert tcp $HOME_NET any -> [51.222.98.70] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200552; rev:1;) alert tcp $HOME_NET any -> [51.222.98.70] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200553; rev:1;) alert tcp $HOME_NET any -> [185.241.208.134] 7331 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200554; rev:1;) alert tcp $HOME_NET any -> [147.189.168.100] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200555; rev:1;) alert tcp $HOME_NET any -> [104.168.149.16] 443 (msg:"SSLBL: Traffic to malicious host (likely DanaBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200556; rev:1;) alert tcp $HOME_NET any -> [67.191.63.138] 4781 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200557; rev:1;) alert tcp $HOME_NET any -> [107.213.220.165] 53 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200558; rev:1;) alert tcp $HOME_NET any -> [154.12.250.38] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200559; rev:1;) alert tcp $HOME_NET any -> [193.149.176.156] 8080 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200560; rev:1;) alert tcp $HOME_NET any -> [142.44.252.26] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200561; rev:1;) alert tcp $HOME_NET any -> [20.100.196.69] 9281 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200562; rev:1;) alert tcp $HOME_NET any -> [23.94.236.147] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200563; rev:1;) alert tcp $HOME_NET any -> [23.254.225.181] 443 (msg:"SSLBL: Traffic to malicious host (likely DanaBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200564; rev:1;) alert tcp $HOME_NET any -> [157.245.44.217] 8448 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200565; rev:1;) alert tcp $HOME_NET any -> [23.226.77.22] 4449 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200566; rev:1;) alert tcp $HOME_NET any -> [195.206.235.234] 1907 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200567; rev:1;) alert tcp $HOME_NET any -> [66.85.173.3] 443 (msg:"SSLBL: Traffic to malicious host (likely DanaBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200568; rev:1;) alert tcp $HOME_NET any -> [4.201.51.87] 5786 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200569; rev:1;) alert tcp $HOME_NET any -> [156.96.156.177] 6666 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200570; rev:1;) alert tcp $HOME_NET any -> [185.225.70.150] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200571; rev:1;) alert tcp $HOME_NET any -> [123.253.35.251] 443 (msg:"SSLBL: Traffic to malicious host (likely DanaBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200572; rev:1;) alert tcp $HOME_NET any -> [23.236.181.126] 443 (msg:"SSLBL: Traffic to malicious host (likely DanaBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200573; rev:1;) alert tcp $HOME_NET any -> [185.246.220.208] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200574; rev:1;) alert tcp $HOME_NET any -> [165.227.31.192] 22781 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200575; rev:1;) alert tcp $HOME_NET any -> [152.89.247.44] 443 (msg:"SSLBL: Traffic to malicious host (likely DanaBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200576; rev:1;) alert tcp $HOME_NET any -> [103.144.139.170] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200577; rev:1;) alert tcp $HOME_NET any -> [185.173.34.241] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200578; rev:1;) alert tcp $HOME_NET any -> [4.231.233.180] 25310 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200579; rev:1;) alert tcp $HOME_NET any -> [103.144.139.157] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200580; rev:1;) alert tcp $HOME_NET any -> [84.38.133.197] 1337 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200581; rev:1;) alert tcp $HOME_NET any -> [160.20.145.136] 3392 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200582; rev:1;) alert tcp $HOME_NET any -> [194.5.98.198] 4545 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200583; rev:1;) alert tcp $HOME_NET any -> [18.158.249.75] 18867 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200584; rev:1;) alert tcp $HOME_NET any -> [45.137.22.111] 8787 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200585; rev:1;) alert tcp $HOME_NET any -> [91.192.100.36] 8084 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200586; rev:1;) alert tcp $HOME_NET any -> [101.43.238.170] 60001 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200587; rev:1;) alert tcp $HOME_NET any -> [91.178.236.90] 8808 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200588; rev:1;) alert tcp $HOME_NET any -> [81.68.193.9] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200589; rev:1;) alert tcp $HOME_NET any -> [193.233.48.17] 8848 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200590; rev:1;) alert tcp $HOME_NET any -> [138.99.211.39] 2119 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200591; rev:1;) alert tcp $HOME_NET any -> [147.185.221.212] 34218 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200592; rev:1;) alert tcp $HOME_NET any -> [147.189.172.218] 6666 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200593; rev:1;) alert tcp $HOME_NET any -> [2.58.56.22] 5211 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200594; rev:1;) alert tcp $HOME_NET any -> [78.166.31.7] 4444 (msg:"SSLBL: Traffic to malicious host (likely Meterpreter C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200595; rev:1;) alert tcp $HOME_NET any -> [150.253.77.7] 6520 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200596; rev:1;) alert tcp $HOME_NET any -> [185.81.157.202] 5555 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200597; rev:1;) alert tcp $HOME_NET any -> [95.211.140.160] 777 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200598; rev:1;) alert tcp $HOME_NET any -> [198.20.177.229] 6666 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200599; rev:1;) alert tcp $HOME_NET any -> [207.180.221.51] 6922 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200600; rev:1;) alert tcp $HOME_NET any -> [103.136.199.131] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200601; rev:1;) alert tcp $HOME_NET any -> [52.28.247.255] 13890 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200602; rev:1;) alert tcp $HOME_NET any -> [103.239.247.113] 33279 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200603; rev:1;) alert tcp $HOME_NET any -> [20.111.63.231] 7072 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200604; rev:1;) alert tcp $HOME_NET any -> [91.109.178.8] 4777 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200605; rev:1;) alert tcp $HOME_NET any -> [172.86.120.88] 4449 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200606; rev:1;) alert tcp $HOME_NET any -> [192.236.163.13] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200607; rev:1;) alert tcp $HOME_NET any -> [8.210.121.56] 10165 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200608; rev:1;) alert tcp $HOME_NET any -> [193.164.17.129] 443 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200609; rev:1;) alert tcp $HOME_NET any -> [194.110.112.45] 54956 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200610; rev:1;) alert tcp $HOME_NET any -> [185.62.56.163] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200611; rev:1;) alert tcp $HOME_NET any -> [4.227.187.147] 8080 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200612; rev:1;) alert tcp $HOME_NET any -> [152.89.247.216] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200613; rev:1;) alert tcp $HOME_NET any -> [212.193.30.230] 7011 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200614; rev:1;) alert tcp $HOME_NET any -> [146.190.69.247] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200615; rev:1;) alert tcp $HOME_NET any -> [159.89.35.152] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200616; rev:1;) alert tcp $HOME_NET any -> [159.89.35.152] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200617; rev:1;) alert tcp $HOME_NET any -> [159.89.35.152] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200618; rev:1;) alert tcp $HOME_NET any -> [172.93.193.231] 443 (msg:"SSLBL: Traffic to malicious host (likely DanaBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200619; rev:1;) alert tcp $HOME_NET any -> [154.204.180.237] 8848 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200620; rev:1;) alert tcp $HOME_NET any -> [37.49.230.198] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200621; rev:1;) alert tcp $HOME_NET any -> [193.47.61.249] 1024 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200622; rev:1;) alert tcp $HOME_NET any -> [91.109.188.2] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200623; rev:1;) alert tcp $HOME_NET any -> [212.83.173.68] 2576 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200624; rev:1;) alert tcp $HOME_NET any -> [20.166.62.124] 49264 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200625; rev:1;) alert tcp $HOME_NET any -> [20.166.62.124] 49264 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200626; rev:1;) alert tcp $HOME_NET any -> [172.86.120.138] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200627; rev:1;) alert tcp $HOME_NET any -> [114.116.34.118] 7777 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200628; rev:1;) alert tcp $HOME_NET any -> [91.227.113.154] 6666 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200629; rev:1;) alert tcp $HOME_NET any -> [91.109.178.9] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200630; rev:1;) alert tcp $HOME_NET any -> [190.2.147.39] 4449 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200631; rev:1;) alert tcp $HOME_NET any -> [107.182.129.146] 4343 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200632; rev:1;) alert tcp $HOME_NET any -> [107.182.129.146] 6000 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200633; rev:1;) alert tcp $HOME_NET any -> [92.99.178.55] 1444 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200634; rev:1;) alert tcp $HOME_NET any -> [20.8.122.174] 31682 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200635; rev:1;) alert tcp $HOME_NET any -> [149.102.129.194] 22 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200636; rev:1;) alert tcp $HOME_NET any -> [209.25.141.180] 52932 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200637; rev:1;) alert tcp $HOME_NET any -> [20.238.78.172] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200638; rev:1;) alert tcp $HOME_NET any -> [101.99.94.203] 1234 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200639; rev:1;) alert tcp $HOME_NET any -> [51.83.137.127] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200640; rev:1;) alert tcp $HOME_NET any -> [173.234.105.145] 5201 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200641; rev:1;) alert tcp $HOME_NET any -> [179.43.187.19] 4523 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200642; rev:1;) alert tcp $HOME_NET any -> [45.142.213.194] 44352 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200643; rev:1;) alert tcp $HOME_NET any -> [20.169.8.10] 5877 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200644; rev:1;) alert tcp $HOME_NET any -> [1.15.67.80] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200645; rev:1;) alert tcp $HOME_NET any -> [171.22.30.33] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200646; rev:1;) alert tcp $HOME_NET any -> [109.206.241.84] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200647; rev:1;) alert tcp $HOME_NET any -> [188.114.96.0] 2053 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200648; rev:1;) alert tcp $HOME_NET any -> [103.149.201.214] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200649; rev:1;) alert tcp $HOME_NET any -> [194.61.119.50] 8884 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200650; rev:1;) alert tcp $HOME_NET any -> [15.204.13.245] 5000 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200651; rev:1;) alert tcp $HOME_NET any -> [192.3.76.153] 5200 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200652; rev:1;) alert tcp $HOME_NET any -> [20.127.173.166] 8973 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200653; rev:1;) alert tcp $HOME_NET any -> [20.127.173.166] 8973 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200654; rev:1;) alert tcp $HOME_NET any -> [41.216.183.61] 8973 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200655; rev:1;) alert tcp $HOME_NET any -> [20.240.61.211] 8080 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200656; rev:1;) alert tcp $HOME_NET any -> [20.212.19.59] 51585 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200657; rev:1;) alert tcp $HOME_NET any -> [162.19.131.197] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200658; rev:1;) alert tcp $HOME_NET any -> [103.125.190.185] 1234 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200659; rev:1;) alert tcp $HOME_NET any -> [92.222.212.65] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200660; rev:1;) alert tcp $HOME_NET any -> [147.50.253.97] 8454 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200661; rev:1;) alert tcp $HOME_NET any -> [18.189.106.45] 13405 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200662; rev:1;) alert tcp $HOME_NET any -> [154.16.67.29] 9090 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200663; rev:1;) alert tcp $HOME_NET any -> [175.10.103.11] 8443 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200664; rev:1;) alert tcp $HOME_NET any -> [107.174.212.121] 5005 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200665; rev:1;) alert tcp $HOME_NET any -> [82.65.64.66] 1234 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200666; rev:1;) alert tcp $HOME_NET any -> [3.69.115.178] 12104 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200667; rev:1;) alert tcp $HOME_NET any -> [192.3.101.108] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200668; rev:1;) alert tcp $HOME_NET any -> [20.16.8.148] 8848 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200669; rev:1;) alert tcp $HOME_NET any -> [20.107.115.162] 50239 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200670; rev:1;) alert tcp $HOME_NET any -> [77.34.128.25] 8080 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200671; rev:1;) alert tcp $HOME_NET any -> [171.235.66.23] 233 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200672; rev:1;) alert tcp $HOME_NET any -> [45.76.184.89] 90 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200673; rev:1;) alert tcp $HOME_NET any -> [13.59.15.185] 19091 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200674; rev:1;) alert tcp $HOME_NET any -> [181.141.1.86] 1994 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200675; rev:1;) alert tcp $HOME_NET any -> [80.66.88.146] 8848 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200676; rev:1;) alert tcp $HOME_NET any -> [45.76.184.89] 92 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200677; rev:1;) alert tcp $HOME_NET any -> [20.205.136.175] 8848 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200678; rev:1;) alert tcp $HOME_NET any -> [64.44.167.136] 46452 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200679; rev:1;) alert tcp $HOME_NET any -> [20.98.138.214] 2288 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200680; rev:1;) alert tcp $HOME_NET any -> [103.74.101.124] 2245 (msg:"SSLBL: Traffic to malicious host (likely Vjw0rm C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200681; rev:1;) alert tcp $HOME_NET any -> [173.225.115.99] 7702 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200682; rev:1;) alert tcp $HOME_NET any -> [185.248.140.146] 6666 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200683; rev:1;) alert tcp $HOME_NET any -> [45.82.179.76] 4499 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200684; rev:1;) alert tcp $HOME_NET any -> [45.14.13.20] 4499 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200685; rev:1;) alert tcp $HOME_NET any -> [45.61.136.197] 443 (msg:"SSLBL: Traffic to malicious host (likely DoNot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200686; rev:1;) alert tcp $HOME_NET any -> [44.192.67.149] 4784 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200687; rev:1;) alert tcp $HOME_NET any -> [37.0.14.203] 1905 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200688; rev:1;) alert tcp $HOME_NET any -> [179.13.3.107] 4203 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200689; rev:1;) alert tcp $HOME_NET any -> [80.76.51.137] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200690; rev:1;) alert tcp $HOME_NET any -> [95.107.48.217] 6666 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200691; rev:1;) alert tcp $HOME_NET any -> [45.154.98.214] 6606 (msg:"SSLBL: Traffic to malicious host (likely RedLineStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200692; rev:1;) alert tcp $HOME_NET any -> [20.111.19.215] 3152 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200693; rev:1;) alert tcp $HOME_NET any -> [2.59.119.84] 7943 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200694; rev:1;) alert tcp $HOME_NET any -> [86.63.204.69] 5000 (msg:"SSLBL: Traffic to malicious host (likely AveMariaRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200695; rev:1;) alert tcp $HOME_NET any -> [20.171.107.243] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200696; rev:1;) alert tcp $HOME_NET any -> [190.123.44.184] 8201 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200697; rev:1;) alert tcp $HOME_NET any -> [64.44.135.174] 105 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200698; rev:1;) alert tcp $HOME_NET any -> [39.107.242.96] 47820 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200699; rev:1;) alert tcp $HOME_NET any -> [102.159.236.65] 90 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200700; rev:1;) alert tcp $HOME_NET any -> [3.72.110.63] 9087 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200701; rev:1;) alert tcp $HOME_NET any -> [159.223.57.212] 8471 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200702; rev:1;) alert tcp $HOME_NET any -> [85.31.46.207] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200703; rev:1;) alert tcp $HOME_NET any -> [66.94.108.214] 6655 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200704; rev:1;) alert tcp $HOME_NET any -> [18.192.31.165] 10108 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200705; rev:1;) alert tcp $HOME_NET any -> [54.84.208.91] 58466 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200706; rev:1;) alert tcp $HOME_NET any -> [209.25.141.180] 56956 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200707; rev:1;) alert tcp $HOME_NET any -> [209.127.186.218] 6305 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200708; rev:1;) alert tcp $HOME_NET any -> [151.80.238.28] 6606 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200709; rev:1;) alert tcp $HOME_NET any -> [146.70.101.97] 8080 (msg:"SSLBL: Traffic to malicious host (likely Meterpreter C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200710; rev:1;) alert tcp $HOME_NET any -> [188.227.57.46] 22 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200711; rev:1;) alert tcp $HOME_NET any -> [40.90.168.244] 9909 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200712; rev:1;) alert tcp $HOME_NET any -> [20.42.114.46] 8080 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200713; rev:1;) alert tcp $HOME_NET any -> [207.32.218.123] 6666 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200714; rev:1;) alert tcp $HOME_NET any -> [79.134.225.22] 7936 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200715; rev:1;) alert tcp $HOME_NET any -> [91.109.178.7] 7505 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200716; rev:1;) alert tcp $HOME_NET any -> [172.94.11.178] 8848 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200717; rev:1;) alert tcp $HOME_NET any -> [91.151.88.159] 3131 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200718; rev:1;) alert tcp $HOME_NET any -> [45.154.98.87] 8453 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200719; rev:1;) alert tcp $HOME_NET any -> [93.177.103.26] 1992 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200720; rev:1;) alert tcp $HOME_NET any -> [43.142.80.49] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200721; rev:1;) alert tcp $HOME_NET any -> [3.69.115.178] 10448 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200722; rev:1;) alert tcp $HOME_NET any -> [51.38.112.16] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200723; rev:1;) alert tcp $HOME_NET any -> [149.248.52.31] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware distribution traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200724; rev:1;) alert tcp $HOME_NET any -> [115.75.66.68] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200725; rev:1;) alert tcp $HOME_NET any -> [85.217.145.55] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200726; rev:1;) alert tcp $HOME_NET any -> [64.44.98.23] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200727; rev:1;) alert tcp $HOME_NET any -> [43.129.88.120] 60002 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200728; rev:1;) alert tcp $HOME_NET any -> [213.152.162.181] 50548 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200729; rev:1;) alert tcp $HOME_NET any -> [194.9.172.60] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200730; rev:1;) alert tcp $HOME_NET any -> [119.23.227.43] 8848 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200731; rev:1;) alert tcp $HOME_NET any -> [192.158.232.67] 1431 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200732; rev:1;) alert tcp $HOME_NET any -> [185.225.73.150] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200733; rev:1;) alert tcp $HOME_NET any -> [35.193.72.139] 6877 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200734; rev:1;) alert tcp $HOME_NET any -> [195.178.120.187] 8848 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200735; rev:1;) alert tcp $HOME_NET any -> [50.54.215.55] 4444 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200736; rev:1;) alert tcp $HOME_NET any -> [89.23.97.5] 8848 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200737; rev:1;) alert tcp $HOME_NET any -> [123.160.10.39] 60756 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200738; rev:1;) alert tcp $HOME_NET any -> [161.97.106.212] 6655 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200739; rev:1;) alert tcp $HOME_NET any -> [213.152.161.5] 6397 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200740; rev:1;) alert tcp $HOME_NET any -> [79.134.225.115] 6061 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200741; rev:1;) alert tcp $HOME_NET any -> [164.92.113.92] 9007 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200742; rev:1;) alert tcp $HOME_NET any -> [37.0.14.196] 2050 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200743; rev:1;) alert tcp $HOME_NET any -> [107.182.129.16] 8010 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200744; rev:1;) alert tcp $HOME_NET any -> [52.220.121.212] 15817 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200745; rev:1;) alert tcp $HOME_NET any -> [59.22.167.217] 13345 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200746; rev:1;) alert tcp $HOME_NET any -> [176.232.184.98] 1604 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200747; rev:1;) alert tcp $HOME_NET any -> [45.140.146.241] 443 (msg:"SSLBL: Traffic to malicious host (likely RM3 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200748; rev:1;) alert tcp $HOME_NET any -> [5.182.37.136] 443 (msg:"SSLBL: Traffic to malicious host (likely RM3 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200749; rev:1;) alert tcp $HOME_NET any -> [31.214.245.229] 3399 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200750; rev:1;) alert tcp $HOME_NET any -> [34.125.93.181] 8080 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200751; rev:1;) alert tcp $HOME_NET any -> [3.125.115.192] 18 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200752; rev:1;) alert tcp $HOME_NET any -> [212.114.52.212] 1893 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200753; rev:1;) alert tcp $HOME_NET any -> [76.8.53.133] 62520 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200754; rev:1;) alert tcp $HOME_NET any -> [91.109.188.12] 7505 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200755; rev:1;) alert tcp $HOME_NET any -> [176.124.213.115] 8848 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200756; rev:1;) alert tcp $HOME_NET any -> [194.26.192.190] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200757; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 52307 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200758; rev:1;) alert tcp $HOME_NET any -> [38.17.51.104] 1989 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200759; rev:1;) alert tcp $HOME_NET any -> [185.105.237.113] 8848 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200760; rev:1;) alert tcp $HOME_NET any -> [20.199.43.130] 3421 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200761; rev:1;) alert tcp $HOME_NET any -> [45.95.11.50] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200762; rev:1;) alert tcp $HOME_NET any -> [124.223.14.242] 443 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200763; rev:1;) alert tcp $HOME_NET any -> [194.5.97.232] 3738 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200764; rev:1;) alert tcp $HOME_NET any -> [52.88.36.247] 50679 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200765; rev:1;) alert tcp $HOME_NET any -> [124.221.219.55] 4433 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200766; rev:1;) alert tcp $HOME_NET any -> [190.123.45.9] 443 (msg:"SSLBL: Traffic to malicious host (likely IceXLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200767; rev:1;) alert tcp $HOME_NET any -> [87.251.79.117] 10101 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200768; rev:1;) alert tcp $HOME_NET any -> [147.185.221.180] 25384 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200769; rev:1;) alert tcp $HOME_NET any -> [23.101.213.237] 4546 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200770; rev:1;) alert tcp $HOME_NET any -> [191.101.30.16] 2323 (msg:"SSLBL: Traffic to malicious host (likely Vjw0rm C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200771; rev:1;) alert tcp $HOME_NET any -> [3.219.26.62] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200772; rev:1;) alert tcp $HOME_NET any -> [18.207.218.15] 1337 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200773; rev:1;) alert tcp $HOME_NET any -> [95.13.149.131] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200774; rev:1;) alert tcp $HOME_NET any -> [185.236.78.58] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200775; rev:1;) alert tcp $HOME_NET any -> [124.222.98.55] 3000 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200776; rev:1;) alert tcp $HOME_NET any -> [18.169.191.45] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200777; rev:1;) alert tcp $HOME_NET any -> [185.225.73.183] 4782 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200778; rev:1;) alert tcp $HOME_NET any -> [191.101.130.243] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200779; rev:1;) alert tcp $HOME_NET any -> [61.14.233.88] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200780; rev:1;) alert tcp $HOME_NET any -> [185.173.34.75] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200781; rev:1;) alert tcp $HOME_NET any -> [182.186.88.126] 6907 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200782; rev:1;) alert tcp $HOME_NET any -> [77.91.72.15] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200783; rev:1;) alert tcp $HOME_NET any -> [103.207.36.123] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200784; rev:1;) alert tcp $HOME_NET any -> [20.12.204.46] 8080 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200785; rev:1;) alert tcp $HOME_NET any -> [213.152.162.149] 46525 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200786; rev:1;) alert tcp $HOME_NET any -> [109.206.241.81] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200787; rev:1;) alert tcp $HOME_NET any -> [185.112.83.206] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200788; rev:1;) alert tcp $HOME_NET any -> [185.236.78.58] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200789; rev:1;) alert tcp $HOME_NET any -> [179.43.187.131] 6000 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200790; rev:1;) alert tcp $HOME_NET any -> [173.234.155.109] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200791; rev:1;) alert tcp $HOME_NET any -> [20.127.4.172] 8080 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200792; rev:1;) alert tcp $HOME_NET any -> [38.105.209.167] 8848 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200793; rev:1;) alert tcp $HOME_NET any -> [77.192.68.90] 1900 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200794; rev:1;) alert tcp $HOME_NET any -> [185.141.63.211] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200795; rev:1;) alert tcp $HOME_NET any -> [186.169.80.56] 9090 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200796; rev:1;) alert tcp $HOME_NET any -> [86.106.74.55] 54966 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200797; rev:1;) alert tcp $HOME_NET any -> [62.210.57.2] 1284 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200798; rev:1;) alert tcp $HOME_NET any -> [165.22.226.149] 8008 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200799; rev:1;) alert tcp $HOME_NET any -> [108.62.118.133] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200800; rev:1;) alert tcp $HOME_NET any -> [51.12.89.205] 8361 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200801; rev:1;) alert tcp $HOME_NET any -> [172.93.193.21] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200802; rev:1;) alert tcp $HOME_NET any -> [62.108.37.84] 8881 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200803; rev:1;) alert tcp $HOME_NET any -> [185.140.53.159] 7659 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200804; rev:1;) alert tcp $HOME_NET any -> [70.36.108.28] 4444 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200805; rev:1;) alert tcp $HOME_NET any -> [23.94.82.24] 10240 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200806; rev:1;) alert tcp $HOME_NET any -> [5.181.166.139] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200807; rev:1;) alert tcp $HOME_NET any -> [186.152.129.124] 2113 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200808; rev:1;) alert tcp $HOME_NET any -> [184.75.221.59] 56390 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200809; rev:1;) alert tcp $HOME_NET any -> [184.75.221.59] 3195 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200810; rev:1;) alert tcp $HOME_NET any -> [185.112.83.106] 1177 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200811; rev:1;) alert tcp $HOME_NET any -> [45.136.4.99] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200812; rev:1;) alert tcp $HOME_NET any -> [198.23.191.98] 6075 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200813; rev:1;) alert tcp $HOME_NET any -> [23.105.131.196] 9128 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200814; rev:1;) alert tcp $HOME_NET any -> [194.5.97.228] 5069 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200815; rev:1;) alert tcp $HOME_NET any -> [207.32.218.12] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200816; rev:1;) alert tcp $HOME_NET any -> [20.206.75.106] 443 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200817; rev:1;) alert tcp $HOME_NET any -> [160.20.147.52] 8848 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200818; rev:1;) alert tcp $HOME_NET any -> [103.133.105.50] 1234 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200819; rev:1;) alert tcp $HOME_NET any -> [3.64.4.198] 13315 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200820; rev:1;) alert tcp $HOME_NET any -> [185.156.172.149] 2271 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200821; rev:1;) alert tcp $HOME_NET any -> [203.78.128.202] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200822; rev:1;) alert tcp $HOME_NET any -> [80.253.246.144] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200823; rev:1;) alert tcp $HOME_NET any -> [68.196.160.138] 55552 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200824; rev:1;) alert tcp $HOME_NET any -> [103.142.218.119] 99 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200825; rev:1;) alert tcp $HOME_NET any -> [149.28.31.166] 443 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200826; rev:1;) alert tcp $HOME_NET any -> [62.210.55.136] 3566 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200827; rev:1;) alert tcp $HOME_NET any -> [37.1.222.208] 1337 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200828; rev:1;) alert tcp $HOME_NET any -> [185.200.116.219] 9016 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200829; rev:1;) alert tcp $HOME_NET any -> [212.193.30.96] 5022 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200830; rev:1;) alert tcp $HOME_NET any -> [212.114.52.113] 8888 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200831; rev:1;) alert tcp $HOME_NET any -> [194.5.98.251] 4598 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200832; rev:1;) alert tcp $HOME_NET any -> [185.222.57.72] 8780 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200833; rev:1;) alert tcp $HOME_NET any -> [185.222.57.72] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200834; rev:1;) alert tcp $HOME_NET any -> [185.222.57.72] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200835; rev:1;) alert tcp $HOME_NET any -> [18.196.41.122] 9087 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200836; rev:1;) alert tcp $HOME_NET any -> [78.173.187.50] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200837; rev:1;) alert tcp $HOME_NET any -> [188.132.156.147] 1604 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200838; rev:1;) alert tcp $HOME_NET any -> [2.56.59.146] 1234 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200839; rev:1;) alert tcp $HOME_NET any -> [213.248.179.19] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200840; rev:1;) alert tcp $HOME_NET any -> [213.152.162.79] 25256 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200841; rev:1;) alert tcp $HOME_NET any -> [3.68.56.232] 12728 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200842; rev:1;) alert tcp $HOME_NET any -> [3.67.15.169] 12728 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200843; rev:1;) alert tcp $HOME_NET any -> [45.134.140.152] 60060 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200844; rev:1;) alert tcp $HOME_NET any -> [3.125.188.168] 12728 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200845; rev:1;) alert tcp $HOME_NET any -> [51.116.125.149] 3537 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200846; rev:1;) alert tcp $HOME_NET any -> [20.54.113.5] 3131 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200847; rev:1;) alert tcp $HOME_NET any -> [192.99.131.239] 25565 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200848; rev:1;) alert tcp $HOME_NET any -> [196.77.237.119] 55555 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200849; rev:1;) alert tcp $HOME_NET any -> [62.197.136.167] 1111 (msg:"SSLBL: Traffic to malicious host (likely AgentTesla C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200850; rev:1;) alert tcp $HOME_NET any -> [62.197.136.195] 3333 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200851; rev:1;) alert tcp $HOME_NET any -> [91.192.100.8] 8153 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200852; rev:1;) alert tcp $HOME_NET any -> [185.237.96.105] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200853; rev:1;) alert tcp $HOME_NET any -> [104.168.33.53] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200854; rev:1;) alert tcp $HOME_NET any -> [23.105.131.209] 1137 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200855; rev:1;) alert tcp $HOME_NET any -> [89.246.100.9] 8700 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200856; rev:1;) alert tcp $HOME_NET any -> [104.168.33.53] 8808 (msg:"SSLBL: Traffic to malicious host (likely Vjw0rm C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200857; rev:1;) alert tcp $HOME_NET any -> [63.141.237.188] 9954 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200858; rev:1;) alert tcp $HOME_NET any -> [147.135.106.246] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200859; rev:1;) alert tcp $HOME_NET any -> [20.114.139.208] 4498 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200860; rev:1;) alert tcp $HOME_NET any -> [185.140.53.15] 3023 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200861; rev:1;) alert tcp $HOME_NET any -> [74.201.28.166] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200862; rev:1;) alert tcp $HOME_NET any -> [141.255.147.50] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200863; rev:1;) alert tcp $HOME_NET any -> [79.134.225.9] 2349 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200864; rev:1;) alert tcp $HOME_NET any -> [85.239.33.172] 443 (msg:"SSLBL: Traffic to malicious host (likely BumbleBee C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200865; rev:1;) alert tcp $HOME_NET any -> [213.142.151.33] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200866; rev:1;) alert tcp $HOME_NET any -> [203.78.129.202] 6666 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200867; rev:1;) alert tcp $HOME_NET any -> [212.192.241.130] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200868; rev:1;) alert tcp $HOME_NET any -> [51.81.105.238] 1981 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200869; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 31639 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200870; rev:1;) alert tcp $HOME_NET any -> [193.233.203.224] 4444 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200871; rev:1;) alert tcp $HOME_NET any -> [87.249.134.18] 59004 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200872; rev:1;) alert tcp $HOME_NET any -> [68.235.43.172] 59004 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200873; rev:1;) alert tcp $HOME_NET any -> [67.241.61.219] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200874; rev:1;) alert tcp $HOME_NET any -> [193.233.191.150] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200875; rev:1;) alert tcp $HOME_NET any -> [185.225.28.148] 57652 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200876; rev:1;) alert tcp $HOME_NET any -> [142.126.195.122] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200877; rev:1;) alert tcp $HOME_NET any -> [45.158.77.78] 10135 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200878; rev:1;) alert tcp $HOME_NET any -> [5.39.15.167] 88 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200879; rev:1;) alert tcp $HOME_NET any -> [193.23.160.250] 8848 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200880; rev:1;) alert tcp $HOME_NET any -> [212.220.202.104] 1604 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200881; rev:1;) alert tcp $HOME_NET any -> [107.182.128.18] 3030 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200882; rev:1;) alert tcp $HOME_NET any -> [62.204.41.213] 443 (msg:"SSLBL: Traffic to malicious host (likely Matanbuchus C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200883; rev:1;) alert tcp $HOME_NET any -> [62.204.41.134] 443 (msg:"SSLBL: Traffic to malicious host (likely Matanbuchus C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200884; rev:1;) alert tcp $HOME_NET any -> [62.204.41.212] 443 (msg:"SSLBL: Traffic to malicious host (likely Matanbuchus C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200885; rev:1;) alert tcp $HOME_NET any -> [213.226.114.15] 443 (msg:"SSLBL: Traffic to malicious host (likely Matanbuchus C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200886; rev:1;) alert tcp $HOME_NET any -> [106.55.17.200] 62002 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200887; rev:1;) alert tcp $HOME_NET any -> [45.137.22.152] 8472 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200888; rev:1;) alert tcp $HOME_NET any -> [103.147.185.182] 1170 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200889; rev:1;) alert tcp $HOME_NET any -> [119.91.100.114] 7890 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200890; rev:1;) alert tcp $HOME_NET any -> [198.23.200.102] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200891; rev:1;) alert tcp $HOME_NET any -> [193.233.185.161] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200892; rev:1;) alert tcp $HOME_NET any -> [77.247.127.10] 9898 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200893; rev:1;) alert tcp $HOME_NET any -> [96.8.112.20] 3355 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200894; rev:1;) alert tcp $HOME_NET any -> [185.29.8.22] 4444 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200895; rev:1;) alert tcp $HOME_NET any -> [185.66.91.81] 6121 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200896; rev:1;) alert tcp $HOME_NET any -> [45.133.1.152] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200897; rev:1;) alert tcp $HOME_NET any -> [208.109.33.30] 7777 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200898; rev:1;) alert tcp $HOME_NET any -> [45.133.1.152] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200899; rev:1;) alert tcp $HOME_NET any -> [104.250.169.66] 1994 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200900; rev:1;) alert tcp $HOME_NET any -> [213.152.187.205] 51833 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200901; rev:1;) alert tcp $HOME_NET any -> [107.175.3.110] 6900 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200902; rev:1;) alert tcp $HOME_NET any -> [91.203.192.213] 443 (msg:"SSLBL: Traffic to malicious host (likely Smoke Loader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200903; rev:1;) alert tcp $HOME_NET any -> [193.37.213.16] 443 (msg:"SSLBL: Traffic to malicious host (likely DarkWatchman C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200904; rev:1;) alert tcp $HOME_NET any -> [198.23.145.147] 1137 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200905; rev:1;) alert tcp $HOME_NET any -> [194.147.140.17] 9300 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200906; rev:1;) alert tcp $HOME_NET any -> [208.109.33.30] 8888 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200907; rev:1;) alert tcp $HOME_NET any -> [2.56.56.88] 2406 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200908; rev:1;) alert tcp $HOME_NET any -> [80.66.64.42] 443 (msg:"SSLBL: Traffic to malicious host (likely Smoke Loader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200909; rev:1;) alert tcp $HOME_NET any -> [195.2.81.11] 443 (msg:"SSLBL: Traffic to malicious host (likely Smoke Loader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200910; rev:1;) alert tcp $HOME_NET any -> [5.188.90.197] 443 (msg:"SSLBL: Traffic to malicious host (likely Smoke Loader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200911; rev:1;) alert tcp $HOME_NET any -> [85.202.169.140] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200912; rev:1;) alert tcp $HOME_NET any -> [85.202.169.140] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200913; rev:1;) alert tcp $HOME_NET any -> [92.255.111.11] 443 (msg:"SSLBL: Traffic to malicious host (likely Smoke Loader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200914; rev:1;) alert tcp $HOME_NET any -> [62.197.136.69] 7201 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200915; rev:1;) alert tcp $HOME_NET any -> [182.186.84.121] 6904 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200916; rev:1;) alert tcp $HOME_NET any -> [5.188.89.1] 443 (msg:"SSLBL: Traffic to malicious host (likely Smoke Loader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200917; rev:1;) alert tcp $HOME_NET any -> [217.195.197.70] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200918; rev:1;) alert tcp $HOME_NET any -> [45.131.109.121] 8080 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200919; rev:1;) alert tcp $HOME_NET any -> [157.90.206.56] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200920; rev:1;) alert tcp $HOME_NET any -> [20.77.254.176] 2200 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200921; rev:1;) alert tcp $HOME_NET any -> [91.109.188.10] 7782 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200922; rev:1;) alert tcp $HOME_NET any -> [62.197.136.165] 8080 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200923; rev:1;) alert tcp $HOME_NET any -> [172.93.179.212] 443 (msg:"SSLBL: Traffic to malicious host (likely Neurevt C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200924; rev:1;) alert tcp $HOME_NET any -> [147.189.174.182] 6666 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200925; rev:1;) alert tcp $HOME_NET any -> [92.42.46.216] 1996 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200926; rev:1;) alert tcp $HOME_NET any -> [194.31.98.80] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200927; rev:1;) alert tcp $HOME_NET any -> [5.230.68.234] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200928; rev:1;) alert tcp $HOME_NET any -> [51.195.196.86] 8868 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200929; rev:1;) alert tcp $HOME_NET any -> [20.224.162.224] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200930; rev:1;) alert tcp $HOME_NET any -> [2.224.144.191] 2222 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200931; rev:1;) alert tcp $HOME_NET any -> [207.32.218.11] 1996 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200932; rev:1;) alert tcp $HOME_NET any -> [37.0.11.155] 4670 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200933; rev:1;) alert tcp $HOME_NET any -> [147.189.168.74] 6666 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200934; rev:1;) alert tcp $HOME_NET any -> [194.156.91.122] 6666 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200935; rev:1;) alert tcp $HOME_NET any -> [84.54.13.44] 1177 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200936; rev:1;) alert tcp $HOME_NET any -> [46.183.220.21] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200937; rev:1;) alert tcp $HOME_NET any -> [85.239.53.9] 443 (msg:"SSLBL: Traffic to malicious host (likely BlackGuard C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200938; rev:1;) alert tcp $HOME_NET any -> [191.101.130.32] 1121 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200939; rev:1;) alert tcp $HOME_NET any -> [20.89.177.186] 21245 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200940; rev:1;) alert tcp $HOME_NET any -> [185.94.29.170] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200941; rev:1;) alert tcp $HOME_NET any -> [37.48.117.136] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200942; rev:1;) alert tcp $HOME_NET any -> [212.174.54.164] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200943; rev:1;) alert tcp $HOME_NET any -> [136.144.41.223] 8394 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200944; rev:1;) alert tcp $HOME_NET any -> [178.255.148.221] 1974 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200945; rev:1;) alert tcp $HOME_NET any -> [23.106.215.217] 443 (msg:"SSLBL: Traffic to malicious host (likely DanaBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200946; rev:1;) alert tcp $HOME_NET any -> [78.142.29.103] 7332 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200947; rev:1;) alert tcp $HOME_NET any -> [3.144.124.4] 7771 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200948; rev:1;) alert tcp $HOME_NET any -> [182.190.87.87] 1555 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200949; rev:1;) alert tcp $HOME_NET any -> [78.186.210.130] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200950; rev:1;) alert tcp $HOME_NET any -> [45.176.91.143] 9001 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200951; rev:1;) alert tcp $HOME_NET any -> [156.249.29.8] 8848 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200952; rev:1;) alert tcp $HOME_NET any -> [45.242.220.23] 50 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200953; rev:1;) alert tcp $HOME_NET any -> [213.226.114.92] 443 (msg:"SSLBL: Traffic to malicious host (likely Matanbuchus C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200954; rev:1;) alert tcp $HOME_NET any -> [205.185.121.4] 8790 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200955; rev:1;) alert tcp $HOME_NET any -> [2.56.56.180] 4444 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200956; rev:1;) alert tcp $HOME_NET any -> [185.38.84.34] 443 (msg:"SSLBL: Traffic to malicious host (likely Matanbuchus C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200957; rev:1;) alert tcp $HOME_NET any -> [185.199.226.19] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200958; rev:1;) alert tcp $HOME_NET any -> [3.83.129.253] 4747 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200959; rev:1;) alert tcp $HOME_NET any -> [217.64.31.3] 8437 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200960; rev:1;) alert tcp $HOME_NET any -> [45.10.40.116] 443 (msg:"SSLBL: Traffic to malicious host (likely Matanbuchus C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200961; rev:1;) alert tcp $HOME_NET any -> [192.236.147.212] 443 (msg:"SSLBL: Traffic to malicious host (likely DanaBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200962; rev:1;) alert tcp $HOME_NET any -> [217.195.197.85] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200963; rev:1;) alert tcp $HOME_NET any -> [84.54.13.124] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200964; rev:1;) alert tcp $HOME_NET any -> [192.236.160.249] 443 (msg:"SSLBL: Traffic to malicious host (likely DanaBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200965; rev:1;) alert tcp $HOME_NET any -> [192.236.176.108] 443 (msg:"SSLBL: Traffic to malicious host (likely DanaBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200966; rev:1;) alert tcp $HOME_NET any -> [212.193.30.144] 7331 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200967; rev:1;) alert tcp $HOME_NET any -> [93.177.75.30] 4449 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200968; rev:1;) alert tcp $HOME_NET any -> [185.81.157.169] 2022 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200969; rev:1;) alert tcp $HOME_NET any -> [201.219.204.73] 1882 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200970; rev:1;) alert tcp $HOME_NET any -> [185.171.91.4] 1604 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200971; rev:1;) alert tcp $HOME_NET any -> [92.118.36.201] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200972; rev:1;) alert tcp $HOME_NET any -> [51.83.134.252] 17650 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200973; rev:1;) alert tcp $HOME_NET any -> [185.222.57.203] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200974; rev:1;) alert tcp $HOME_NET any -> [107.182.237.14] 58453 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200975; rev:1;) alert tcp $HOME_NET any -> [89.134.228.127] 45000 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200976; rev:1;) alert tcp $HOME_NET any -> [3.141.210.37] 12300 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200977; rev:1;) alert tcp $HOME_NET any -> [119.91.99.194] 8080 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200978; rev:1;) alert tcp $HOME_NET any -> [3.141.142.211] 10164 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200979; rev:1;) alert tcp $HOME_NET any -> [176.9.31.109] 3674 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200980; rev:1;) alert tcp $HOME_NET any -> [27.50.175.215] 8848 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200981; rev:1;) alert tcp $HOME_NET any -> [104.37.172.204] 56777 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200982; rev:1;) alert tcp $HOME_NET any -> [8.218.16.104] 65500 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200983; rev:1;) alert tcp $HOME_NET any -> [45.32.26.164] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200984; rev:1;) alert tcp $HOME_NET any -> [192.30.89.51] 29843 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200985; rev:1;) alert tcp $HOME_NET any -> [185.81.157.202] 2535 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200986; rev:1;) alert tcp $HOME_NET any -> [92.118.36.201] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200987; rev:1;) alert tcp $HOME_NET any -> [49.12.0.239] 3760 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200988; rev:1;) alert tcp $HOME_NET any -> [193.29.104.92] 3579 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200989; rev:1;) alert tcp $HOME_NET any -> [5.249.161.198] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200990; rev:1;) alert tcp $HOME_NET any -> [181.130.9.145] 6525 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200991; rev:1;) alert tcp $HOME_NET any -> [2.58.56.184] 1337 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200992; rev:1;) alert tcp $HOME_NET any -> [161.97.148.204] 1604 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200993; rev:1;) alert tcp $HOME_NET any -> [66.135.4.203] 2022 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200994; rev:1;) alert tcp $HOME_NET any -> [2.56.59.189] 8898 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200995; rev:1;) alert tcp $HOME_NET any -> [194.33.45.175] 6666 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200996; rev:1;) alert tcp $HOME_NET any -> [141.255.156.118] 2000 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200997; rev:1;) alert tcp $HOME_NET any -> [142.202.240.88] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200998; rev:1;) alert tcp $HOME_NET any -> [185.140.53.63] 8721 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200999; rev:1;) alert tcp $HOME_NET any -> [178.208.94.214] 1234 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201000; rev:1;) alert tcp $HOME_NET any -> [103.89.88.236] 1998 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201001; rev:1;) alert tcp $HOME_NET any -> [149.56.43.121] 4199 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201002; rev:1;) alert tcp $HOME_NET any -> [194.104.136.213] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201003; rev:1;) alert tcp $HOME_NET any -> [182.191.220.118] 1555 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201004; rev:1;) alert tcp $HOME_NET any -> [163.123.142.251] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201005; rev:1;) alert tcp $HOME_NET any -> [194.31.98.58] 2405 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201006; rev:1;) alert tcp $HOME_NET any -> [3.132.159.158] 15838 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201007; rev:1;) alert tcp $HOME_NET any -> [185.62.58.85] 443 (msg:"SSLBL: Traffic to malicious host (likely DanaBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201008; rev:1;) alert tcp $HOME_NET any -> [139.60.161.165] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201009; rev:1;) alert tcp $HOME_NET any -> [154.212.139.228] 1337 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201010; rev:1;) alert tcp $HOME_NET any -> [95.217.146.171] 4449 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201011; rev:1;) alert tcp $HOME_NET any -> [91.240.118.99] 2780 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201012; rev:1;) alert tcp $HOME_NET any -> [91.193.75.135] 47582 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201013; rev:1;) alert tcp $HOME_NET any -> [159.69.234.4] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201014; rev:1;) alert tcp $HOME_NET any -> [89.223.71.59] 5856 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201015; rev:1;) alert tcp $HOME_NET any -> [208.51.61.44] 128 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201016; rev:1;) alert tcp $HOME_NET any -> [212.68.34.230] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201017; rev:1;) alert tcp $HOME_NET any -> [207.32.217.246] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201018; rev:1;) alert tcp $HOME_NET any -> [172.247.14.52] 12530 (msg:"SSLBL: Traffic to malicious host (likely PhoenixRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201019; rev:1;) alert tcp $HOME_NET any -> [144.126.209.63] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201020; rev:1;) alert tcp $HOME_NET any -> [159.69.234.3] 4041 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201021; rev:1;) alert tcp $HOME_NET any -> [159.69.234.3] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201022; rev:1;) alert tcp $HOME_NET any -> [52.15.81.204] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201023; rev:1;) alert tcp $HOME_NET any -> [129.151.83.165] 7177 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201024; rev:1;) alert tcp $HOME_NET any -> [41.225.46.176] 1234 (msg:"SSLBL: Traffic to malicious host (likely RedLineStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201025; rev:1;) alert tcp $HOME_NET any -> [141.255.144.117] 2000 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201026; rev:1;) alert tcp $HOME_NET any -> [85.202.169.69] 4573 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201027; rev:1;) alert tcp $HOME_NET any -> [3.141.177.1] 19070 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201028; rev:1;) alert tcp $HOME_NET any -> [35.170.192.250] 4449 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201029; rev:1;) alert tcp $HOME_NET any -> [104.128.189.120] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201030; rev:1;) alert tcp $HOME_NET any -> [45.242.93.241] 5 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201031; rev:1;) alert tcp $HOME_NET any -> [103.153.73.37] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201032; rev:1;) alert tcp $HOME_NET any -> [3.128.107.74] 10328 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201033; rev:1;) alert tcp $HOME_NET any -> [122.186.23.243] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201034; rev:1;) alert tcp $HOME_NET any -> [51.81.142.111] 6666 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201035; rev:1;) alert tcp $HOME_NET any -> [193.176.87.152] 4449 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201036; rev:1;) alert tcp $HOME_NET any -> [23.146.242.85] 1111 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201037; rev:1;) alert tcp $HOME_NET any -> [62.197.136.175] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201038; rev:1;) alert tcp $HOME_NET any -> [158.69.144.161] 1234 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201039; rev:1;) alert tcp $HOME_NET any -> [20.113.159.145] 3162 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201040; rev:1;) alert tcp $HOME_NET any -> [159.65.243.143] 8080 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201041; rev:1;) alert tcp $HOME_NET any -> [159.203.126.35] 22339 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201042; rev:1;) alert tcp $HOME_NET any -> [51.222.69.215] 8320 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201043; rev:1;) alert tcp $HOME_NET any -> [2.56.57.55] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201044; rev:1;) alert tcp $HOME_NET any -> [20.111.34.199] 1604 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201045; rev:1;) alert tcp $HOME_NET any -> [185.140.53.165] 55441 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201046; rev:1;) alert tcp $HOME_NET any -> [147.50.253.67] 3926 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201047; rev:1;) alert tcp $HOME_NET any -> [193.124.57.113] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201048; rev:1;) alert tcp $HOME_NET any -> [185.140.53.60] 1234 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201049; rev:1;) alert tcp $HOME_NET any -> [5.230.70.13] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201050; rev:1;) alert tcp $HOME_NET any -> [212.192.246.87] 5803 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201051; rev:1;) alert tcp $HOME_NET any -> [23.100.22.106] 5877 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201052; rev:1;) alert tcp $HOME_NET any -> [62.197.136.175] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201053; rev:1;) alert tcp $HOME_NET any -> [158.69.152.26] 54329 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201054; rev:1;) alert tcp $HOME_NET any -> [20.69.124.187] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201055; rev:1;) alert tcp $HOME_NET any -> [146.70.51.37] 4404 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201056; rev:1;) alert tcp $HOME_NET any -> [94.103.87.238] 10135 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201057; rev:1;) alert tcp $HOME_NET any -> [101.99.94.33] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201058; rev:1;) alert tcp $HOME_NET any -> [194.127.179.167] 8848 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201059; rev:1;) alert tcp $HOME_NET any -> [194.5.98.120] 1234 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201060; rev:1;) alert tcp $HOME_NET any -> [91.245.255.120] 4040 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201061; rev:1;) alert tcp $HOME_NET any -> [185.61.151.24] 1177 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201062; rev:1;) alert tcp $HOME_NET any -> [185.140.53.198] 62748 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201063; rev:1;) alert tcp $HOME_NET any -> [41.234.46.29] 1338 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201064; rev:1;) alert tcp $HOME_NET any -> [45.61.184.36] 5050 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201065; rev:1;) alert tcp $HOME_NET any -> [104.215.84.159] 9090 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201066; rev:1;) alert tcp $HOME_NET any -> [15.235.10.108] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201067; rev:1;) alert tcp $HOME_NET any -> [5.95.206.230] 1609 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201068; rev:1;) alert tcp $HOME_NET any -> [51.178.13.102] 8324 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201069; rev:1;) alert tcp $HOME_NET any -> [15.235.13.122] 3000 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201070; rev:1;) alert tcp $HOME_NET any -> [185.162.74.65] 4044 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201071; rev:1;) alert tcp $HOME_NET any -> [15.235.10.108] 8848 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201072; rev:1;) alert tcp $HOME_NET any -> [185.162.74.65] 5455 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201073; rev:1;) alert tcp $HOME_NET any -> [91.193.75.176] 7469 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201074; rev:1;) alert tcp $HOME_NET any -> [103.153.157.33] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201075; rev:1;) alert tcp $HOME_NET any -> [139.162.103.105] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201076; rev:1;) alert tcp $HOME_NET any -> [5.34.178.178] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201077; rev:1;) alert tcp $HOME_NET any -> [212.192.246.239] 1001 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201078; rev:1;) alert tcp $HOME_NET any -> [185.14.31.158] 443 (msg:"SSLBL: Traffic to malicious host (likely Matanbuchus C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201079; rev:1;) alert tcp $HOME_NET any -> [212.192.246.239] 8000 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201080; rev:1;) alert tcp $HOME_NET any -> [66.29.141.227] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201081; rev:1;) alert tcp $HOME_NET any -> [18.189.106.45] 12394 (msg:"SSLBL: Traffic to malicious host (likely RedLineStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201082; rev:1;) alert tcp $HOME_NET any -> [5.161.76.198] 2003 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201083; rev:1;) alert tcp $HOME_NET any -> [20.83.245.27] 1604 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201084; rev:1;) alert tcp $HOME_NET any -> [212.192.246.239] 228 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201085; rev:1;) alert tcp $HOME_NET any -> [37.0.10.214] 6171 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201086; rev:1;) alert tcp $HOME_NET any -> [172.245.94.220] 10090 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201087; rev:1;) alert tcp $HOME_NET any -> [2.56.59.53] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201088; rev:1;) alert tcp $HOME_NET any -> [3.128.107.74] 16030 (msg:"SSLBL: Traffic to malicious host (likely RedLineStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201089; rev:1;) alert tcp $HOME_NET any -> [195.133.18.32] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201090; rev:1;) alert tcp $HOME_NET any -> [89.238.150.43] 57095 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201091; rev:1;) alert tcp $HOME_NET any -> [3.134.125.175] 17709 (msg:"SSLBL: Traffic to malicious host (likely RedLineStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201092; rev:1;) alert tcp $HOME_NET any -> [141.95.89.79] 2005 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201093; rev:1;) alert tcp $HOME_NET any -> [2.56.59.167] 420 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201094; rev:1;) alert tcp $HOME_NET any -> [41.102.117.114] 500 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201095; rev:1;) alert tcp $HOME_NET any -> [5.230.72.132] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201096; rev:1;) alert tcp $HOME_NET any -> [185.29.8.124] 54882 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201097; rev:1;) alert tcp $HOME_NET any -> [137.117.100.173] 443 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201098; rev:1;) alert tcp $HOME_NET any -> [194.5.98.120] 8647 (msg:"SSLBL: Traffic to malicious host (likely NanoCore C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201099; rev:1;) alert tcp $HOME_NET any -> [78.191.189.97] 81 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201100; rev:1;) alert tcp $HOME_NET any -> [78.171.150.184] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201101; rev:1;) alert tcp $HOME_NET any -> [135.148.74.241] 8080 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201102; rev:1;) alert tcp $HOME_NET any -> [52.188.19.78] 9090 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201103; rev:1;) alert tcp $HOME_NET any -> [167.71.7.168] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201104; rev:1;) alert tcp $HOME_NET any -> [185.222.57.80] 6275 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201105; rev:1;) alert tcp $HOME_NET any -> [162.33.177.154] 706 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201106; rev:1;) alert tcp $HOME_NET any -> [3.142.81.166] 18921 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201107; rev:1;) alert tcp $HOME_NET any -> [45.138.99.3] 3796 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201108; rev:1;) alert tcp $HOME_NET any -> [138.201.2.2] 2022 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201109; rev:1;) alert tcp $HOME_NET any -> [104.243.37.4] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201110; rev:1;) alert tcp $HOME_NET any -> [23.94.159.212] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201111; rev:1;) alert tcp $HOME_NET any -> [191.101.130.4] 9090 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201112; rev:1;) alert tcp $HOME_NET any -> [217.64.149.171] 9009 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201113; rev:1;) alert tcp $HOME_NET any -> [195.242.111.73] 8848 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201114; rev:1;) alert tcp $HOME_NET any -> [14.32.99.105] 808 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201115; rev:1;) alert tcp $HOME_NET any -> [212.192.241.87] 3678 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201116; rev:1;) alert tcp $HOME_NET any -> [212.192.241.194] 7271 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201117; rev:1;) alert tcp $HOME_NET any -> [212.192.241.51] 9173 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201118; rev:1;) alert tcp $HOME_NET any -> [193.142.146.212] 8848 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201119; rev:1;) alert tcp $HOME_NET any -> [88.248.18.120] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201120; rev:1;) alert tcp $HOME_NET any -> [2.56.57.210] 7787 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201121; rev:1;) alert tcp $HOME_NET any -> [79.18.45.237] 1900 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201122; rev:1;) alert tcp $HOME_NET any -> [3.91.91.127] 3071 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201123; rev:1;) alert tcp $HOME_NET any -> [2.58.149.136] 4449 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201124; rev:1;) alert tcp $HOME_NET any -> [45.32.92.219] 4444 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201125; rev:1;) alert tcp $HOME_NET any -> [144.126.129.113] 54809 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201126; rev:1;) alert tcp $HOME_NET any -> [136.144.41.207] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201127; rev:1;) alert tcp $HOME_NET any -> [172.94.118.99] 1117 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201128; rev:1;) alert tcp $HOME_NET any -> [20.108.44.45] 3152 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201129; rev:1;) alert tcp $HOME_NET any -> [193.164.7.108] 1604 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201130; rev:1;) alert tcp $HOME_NET any -> [146.19.57.77] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201131; rev:1;) alert tcp $HOME_NET any -> [3.22.30.40] 16416 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201132; rev:1;) alert tcp $HOME_NET any -> [181.141.3.105] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201133; rev:1;) alert tcp $HOME_NET any -> [94.130.208.107] 2021 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201134; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 27383 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201135; rev:1;) alert tcp $HOME_NET any -> [89.238.150.43] 5512 (msg:"SSLBL: Traffic to malicious host (likely NanoCore C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201136; rev:1;) alert tcp $HOME_NET any -> [14.32.99.105] 443 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201137; rev:1;) alert tcp $HOME_NET any -> [20.124.111.166] 2223 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201138; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 23636 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201139; rev:1;) alert tcp $HOME_NET any -> [154.16.248.173] 8848 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201140; rev:1;) alert tcp $HOME_NET any -> [185.20.187.18] 4449 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201141; rev:1;) alert tcp $HOME_NET any -> [193.149.3.239] 1938 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201142; rev:1;) alert tcp $HOME_NET any -> [107.172.44.141] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201143; rev:1;) alert tcp $HOME_NET any -> [35.195.10.252] 443 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201144; rev:1;) alert tcp $HOME_NET any -> [185.7.214.8] 4449 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201145; rev:1;) alert tcp $HOME_NET any -> [23.19.58.166] 21501 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201146; rev:1;) alert tcp $HOME_NET any -> [179.13.1.253] 8055 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201147; rev:1;) alert tcp $HOME_NET any -> [103.151.239.166] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201148; rev:1;) alert tcp $HOME_NET any -> [135.125.27.236] 22 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201149; rev:1;) alert tcp $HOME_NET any -> [177.153.55.100] 443 (msg:"SSLBL: Traffic to malicious host (likely Ousaban C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201150; rev:1;) alert tcp $HOME_NET any -> [194.180.174.113] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201151; rev:1;) alert tcp $HOME_NET any -> [185.140.53.161] 6600 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201152; rev:1;) alert tcp $HOME_NET any -> [84.140.101.75] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201153; rev:1;) alert tcp $HOME_NET any -> [107.182.128.19] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201154; rev:1;) alert tcp $HOME_NET any -> [103.89.89.172] 5200 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201155; rev:1;) alert tcp $HOME_NET any -> [107.182.128.19] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201156; rev:1;) alert tcp $HOME_NET any -> [34.140.211.85] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201157; rev:1;) alert tcp $HOME_NET any -> [185.140.53.242] 2256 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201158; rev:1;) alert tcp $HOME_NET any -> [185.140.53.137] 2331 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201159; rev:1;) alert tcp $HOME_NET any -> [5.68.138.73] 3939 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201160; rev:1;) alert tcp $HOME_NET any -> [103.133.111.110] 5200 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201161; rev:1;) alert tcp $HOME_NET any -> [103.133.111.110] 5200 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201162; rev:1;) alert tcp $HOME_NET any -> [104.41.145.218] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201163; rev:1;) alert tcp $HOME_NET any -> [79.110.52.215] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201164; rev:1;) alert tcp $HOME_NET any -> [79.110.52.217] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201165; rev:1;) alert tcp $HOME_NET any -> [216.126.224.171] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201166; rev:1;) alert tcp $HOME_NET any -> [2.59.119.56] 3131 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201167; rev:1;) alert tcp $HOME_NET any -> [23.106.122.216] 8808 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201168; rev:1;) alert tcp $HOME_NET any -> [38.130.221.190] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201169; rev:1;) alert tcp $HOME_NET any -> [191.101.130.175] 7663 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201170; rev:1;) alert tcp $HOME_NET any -> [185.163.45.124] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201171; rev:1;) alert tcp $HOME_NET any -> [194.5.98.25] 3389 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201172; rev:1;) alert tcp $HOME_NET any -> [193.56.146.74] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201173; rev:1;) alert tcp $HOME_NET any -> [193.56.146.73] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201174; rev:1;) alert tcp $HOME_NET any -> [193.56.146.72] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201175; rev:1;) alert tcp $HOME_NET any -> [129.151.91.127] 7177 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201176; rev:1;) alert tcp $HOME_NET any -> [194.124.76.239] 50354 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201177; rev:1;) alert tcp $HOME_NET any -> [185.140.53.50] 3472 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201178; rev:1;) alert tcp $HOME_NET any -> [2.56.56.122] 2022 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201179; rev:1;) alert tcp $HOME_NET any -> [185.81.157.254] 1010 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201180; rev:1;) alert tcp $HOME_NET any -> [3.138.180.119] 18729 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201181; rev:1;) alert tcp $HOME_NET any -> [194.85.248.211] 1337 (msg:"SSLBL: Traffic to malicious host (likely RedLineStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201182; rev:1;) alert tcp $HOME_NET any -> [84.38.130.171] 9216 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201183; rev:1;) alert tcp $HOME_NET any -> [13.66.153.98] 1604 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201184; rev:1;) alert tcp $HOME_NET any -> [3.94.85.211] 1177 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201185; rev:1;) alert tcp $HOME_NET any -> [185.244.30.237] 1195 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201186; rev:1;) alert tcp $HOME_NET any -> [194.104.136.42] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201187; rev:1;) alert tcp $HOME_NET any -> [91.151.94.59] 1212 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201188; rev:1;) alert tcp $HOME_NET any -> [20.151.221.59] 1604 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201189; rev:1;) alert tcp $HOME_NET any -> [74.119.195.9] 4821 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201190; rev:1;) alert tcp $HOME_NET any -> [194.85.248.114] 3462 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201191; rev:1;) alert tcp $HOME_NET any -> [136.144.41.186] 8848 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201192; rev:1;) alert tcp $HOME_NET any -> [129.151.93.162] 7177 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201193; rev:1;) alert tcp $HOME_NET any -> [168.119.140.238] 8848 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201194; rev:1;) alert tcp $HOME_NET any -> [91.192.10.70] 63803 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201195; rev:1;) alert tcp $HOME_NET any -> [185.19.85.149] 4898 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201196; rev:1;) alert tcp $HOME_NET any -> [5.181.156.19] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201197; rev:1;) alert tcp $HOME_NET any -> [93.190.8.71] 3131 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201198; rev:1;) alert tcp $HOME_NET any -> [45.72.78.38] 8848 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201199; rev:1;) alert tcp $HOME_NET any -> [94.26.90.47] 2030 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201200; rev:1;) alert tcp $HOME_NET any -> [185.92.74.18] 3391 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201201; rev:1;) alert tcp $HOME_NET any -> [89.44.9.228] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201202; rev:1;) alert tcp $HOME_NET any -> [54.233.90.128] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201203; rev:1;) alert tcp $HOME_NET any -> [98.238.116.145] 30815 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201204; rev:1;) alert tcp $HOME_NET any -> [116.202.14.219] 443 (msg:"SSLBL: Traffic to malicious host (likely ArkeiStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201205; rev:1;) alert tcp $HOME_NET any -> [152.89.162.59] 9090 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201206; rev:1;) alert tcp $HOME_NET any -> [20.113.26.85] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201207; rev:1;) alert tcp $HOME_NET any -> [20.199.120.149] 1604 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201208; rev:1;) alert tcp $HOME_NET any -> [37.0.11.190] 7358 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201209; rev:1;) alert tcp $HOME_NET any -> [88.235.10.23] 9812 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201210; rev:1;) alert tcp $HOME_NET any -> [31.220.44.253] 28754 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201211; rev:1;) alert tcp $HOME_NET any -> [192.3.121.153] 7917 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201212; rev:1;) alert tcp $HOME_NET any -> [91.208.206.44] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201213; rev:1;) alert tcp $HOME_NET any -> [84.201.188.187] 666 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201214; rev:1;) alert tcp $HOME_NET any -> [45.144.225.178] 1616 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201215; rev:1;) alert tcp $HOME_NET any -> [74.201.73.122] 10600 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201216; rev:1;) alert tcp $HOME_NET any -> [194.5.97.149] 2050 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201217; rev:1;) alert tcp $HOME_NET any -> [37.0.11.53] 7719 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201218; rev:1;) alert tcp $HOME_NET any -> [194.5.97.54] 4449 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201219; rev:1;) alert tcp $HOME_NET any -> [95.217.25.51] 443 (msg:"SSLBL: Traffic to malicious host (likely ArkeiStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201220; rev:1;) alert tcp $HOME_NET any -> [31.210.20.192] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201221; rev:1;) alert tcp $HOME_NET any -> [197.26.105.145] 1234 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201222; rev:1;) alert tcp $HOME_NET any -> [45.144.225.192] 1008 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201223; rev:1;) alert tcp $HOME_NET any -> [79.134.225.29] 2331 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201224; rev:1;) alert tcp $HOME_NET any -> [5.181.80.10] 443 (msg:"SSLBL: Traffic to malicious host (likely VoidLogger traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201225; rev:1;) alert tcp $HOME_NET any -> [88.214.56.192] 2021 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201226; rev:1;) alert tcp $HOME_NET any -> [41.79.11.214] 61032 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201227; rev:1;) alert tcp $HOME_NET any -> [107.175.178.6] 7277 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201228; rev:1;) alert tcp $HOME_NET any -> [136.144.41.24] 3091 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201229; rev:1;) alert tcp $HOME_NET any -> [173.225.115.240] 3333 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201230; rev:1;) alert tcp $HOME_NET any -> [5.230.70.106] 1560 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201231; rev:1;) alert tcp $HOME_NET any -> [136.144.41.203] 1008 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201232; rev:1;) alert tcp $HOME_NET any -> [34.68.50.44] 8888 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201233; rev:1;) alert tcp $HOME_NET any -> [191.91.177.6] 7784 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201234; rev:1;) alert tcp $HOME_NET any -> [41.36.83.211] 1440 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201235; rev:1;) alert tcp $HOME_NET any -> [89.248.173.187] 5506 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201236; rev:1;) alert tcp $HOME_NET any -> [212.192.246.217] 4444 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201237; rev:1;) alert tcp $HOME_NET any -> [212.192.241.135] 4449 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201238; rev:1;) alert tcp $HOME_NET any -> [185.19.85.155] 1609 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201239; rev:1;) alert tcp $HOME_NET any -> [91.193.75.132] 5529 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201240; rev:1;) alert tcp $HOME_NET any -> [40.88.44.226] 2223 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201241; rev:1;) alert tcp $HOME_NET any -> [213.227.155.219] 443 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201242; rev:1;) alert tcp $HOME_NET any -> [96.9.210.115] 4449 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201243; rev:1;) alert tcp $HOME_NET any -> [207.32.218.40] 5505 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201244; rev:1;) alert tcp $HOME_NET any -> [185.163.45.157] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201245; rev:1;) alert tcp $HOME_NET any -> [185.170.144.51] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201246; rev:1;) alert tcp $HOME_NET any -> [74.81.52.179] 2610 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201247; rev:1;) alert tcp $HOME_NET any -> [34.121.150.14] 4542 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201248; rev:1;) alert tcp $HOME_NET any -> [185.127.19.10] 80 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201249; rev:1;) alert tcp $HOME_NET any -> [185.140.53.129] 4404 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201250; rev:1;) alert tcp $HOME_NET any -> [136.144.41.115] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201251; rev:1;) alert tcp $HOME_NET any -> [136.144.41.115] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201252; rev:1;) alert tcp $HOME_NET any -> [23.105.171.80] 33957 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201253; rev:1;) alert tcp $HOME_NET any -> [136.144.41.115] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201254; rev:1;) alert tcp $HOME_NET any -> [136.144.41.42] 6703 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201255; rev:1;) alert tcp $HOME_NET any -> [91.193.75.132] 9909 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201256; rev:1;) alert tcp $HOME_NET any -> [202.55.133.118] 5200 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201257; rev:1;) alert tcp $HOME_NET any -> [178.20.226.121] 404 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201258; rev:1;) alert tcp $HOME_NET any -> [91.92.109.70] 5353 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201259; rev:1;) alert tcp $HOME_NET any -> [185.29.11.28] 43147 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201260; rev:1;) alert tcp $HOME_NET any -> [212.192.246.236] 8888 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201261; rev:1;) alert tcp $HOME_NET any -> [3.121.139.82] 19858 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201262; rev:1;) alert tcp $HOME_NET any -> [185.222.57.71] 783 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201263; rev:1;) alert tcp $HOME_NET any -> [103.167.90.172] 6275 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201264; rev:1;) alert tcp $HOME_NET any -> [110.40.185.35] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201265; rev:1;) alert tcp $HOME_NET any -> [45.130.41.15] 443 (msg:"SSLBL: Traffic to malicious host (likely RedLineStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201266; rev:1;) alert tcp $HOME_NET any -> [91.151.88.146] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201267; rev:1;) alert tcp $HOME_NET any -> [52.183.37.26] 1452 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201268; rev:1;) alert tcp $HOME_NET any -> [178.20.40.235] 7777 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201269; rev:1;) alert tcp $HOME_NET any -> [85.209.87.175] 8668 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201270; rev:1;) alert tcp $HOME_NET any -> [194.5.97.212] 1199 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201271; rev:1;) alert tcp $HOME_NET any -> [185.250.148.54] 4898 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201272; rev:1;) alert tcp $HOME_NET any -> [40.90.210.21] 3054 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201273; rev:1;) alert tcp $HOME_NET any -> [45.137.22.70] 36374 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201274; rev:1;) alert tcp $HOME_NET any -> [185.222.58.154] 6275 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201275; rev:1;) alert tcp $HOME_NET any -> [194.127.178.3] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201276; rev:1;) alert tcp $HOME_NET any -> [194.127.178.3] 3578 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201277; rev:1;) alert tcp $HOME_NET any -> [178.238.8.157] 9091 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201278; rev:1;) alert tcp $HOME_NET any -> [195.133.40.157] 9909 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201279; rev:1;) alert tcp $HOME_NET any -> [78.135.85.3] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201280; rev:1;) alert tcp $HOME_NET any -> [185.222.58.151] 59790 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201281; rev:1;) alert tcp $HOME_NET any -> [185.222.58.154] 45216 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201282; rev:1;) alert tcp $HOME_NET any -> [104.37.175.107] 2003 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201283; rev:1;) alert tcp $HOME_NET any -> [37.120.222.175] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201284; rev:1;) alert tcp $HOME_NET any -> [79.134.225.36] 4044 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201285; rev:1;) alert tcp $HOME_NET any -> [185.222.58.151] 59668 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201286; rev:1;) alert tcp $HOME_NET any -> [185.222.58.154] 51390 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201287; rev:1;) alert tcp $HOME_NET any -> [193.29.104.96] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201288; rev:1;) alert tcp $HOME_NET any -> [185.157.160.136] 1973 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201289; rev:1;) alert tcp $HOME_NET any -> [193.29.104.92] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201290; rev:1;) alert tcp $HOME_NET any -> [185.19.85.171] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201291; rev:1;) alert tcp $HOME_NET any -> [45.137.22.70] 24626 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201292; rev:1;) alert tcp $HOME_NET any -> [91.151.94.60] 1212 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201293; rev:1;) alert tcp $HOME_NET any -> [20.36.20.111] 1604 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201294; rev:1;) alert tcp $HOME_NET any -> [52.144.47.89] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201295; rev:1;) alert tcp $HOME_NET any -> [193.187.91.102] 9090 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201296; rev:1;) alert tcp $HOME_NET any -> [45.133.1.54] 43417 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201297; rev:1;) alert tcp $HOME_NET any -> [207.32.217.158] 2021 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201298; rev:1;) alert tcp $HOME_NET any -> [45.137.22.115] 14496 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201299; rev:1;) alert tcp $HOME_NET any -> [47.96.125.245] 45002 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201300; rev:1;) alert tcp $HOME_NET any -> [37.120.222.178] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201301; rev:1;) alert tcp $HOME_NET any -> [46.183.221.26] 9909 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201302; rev:1;) alert tcp $HOME_NET any -> [180.214.239.36] 6090 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201303; rev:1;) alert tcp $HOME_NET any -> [185.163.45.248] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201304; rev:1;) alert tcp $HOME_NET any -> [65.108.23.97] 1234 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201305; rev:1;) alert tcp $HOME_NET any -> [181.141.1.250] 2424 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201306; rev:1;) alert tcp $HOME_NET any -> [45.95.169.112] 7760 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201307; rev:1;) alert tcp $HOME_NET any -> [185.19.85.133] 5529 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201308; rev:1;) alert tcp $HOME_NET any -> [185.157.160.136] 1975 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201309; rev:1;) alert tcp $HOME_NET any -> [213.152.186.24] 16941 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201310; rev:1;) alert tcp $HOME_NET any -> [64.56.68.30] 5885 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201311; rev:1;) alert tcp $HOME_NET any -> [2.133.130.23] 443 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201312; rev:1;) alert tcp $HOME_NET any -> [94.158.245.140] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201313; rev:1;) alert tcp $HOME_NET any -> [20.203.173.201] 58110 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201314; rev:1;) alert tcp $HOME_NET any -> [45.133.1.179] 442 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201315; rev:1;) alert tcp $HOME_NET any -> [212.192.246.4] 5523 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201316; rev:1;) alert tcp $HOME_NET any -> [45.133.1.47] 3264 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201317; rev:1;) alert tcp $HOME_NET any -> [45.95.168.110] 9909 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201318; rev:1;) alert tcp $HOME_NET any -> [142.202.240.117] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201319; rev:1;) alert tcp $HOME_NET any -> [139.99.244.21] 4782 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201320; rev:1;) alert tcp $HOME_NET any -> [23.105.131.212] 4409 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201321; rev:1;) alert tcp $HOME_NET any -> [194.5.98.135] 5900 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201322; rev:1;) alert tcp $HOME_NET any -> [168.90.65.230] 5552 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201323; rev:1;) alert tcp $HOME_NET any -> [31.210.20.187] 43417 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201324; rev:1;) alert tcp $HOME_NET any -> [14.17.115.109] 8848 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201325; rev:1;) alert tcp $HOME_NET any -> [45.144.225.194] 2424 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201326; rev:1;) alert tcp $HOME_NET any -> [185.195.79.212] 5656 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201327; rev:1;) alert tcp $HOME_NET any -> [193.187.91.115] 1234 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201328; rev:1;) alert tcp $HOME_NET any -> [185.215.113.62] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201329; rev:1;) alert tcp $HOME_NET any -> [2.56.59.227] 8081 (msg:"SSLBL: Traffic to malicious host (likely hVNC C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201330; rev:1;) alert tcp $HOME_NET any -> [2.56.59.227] 8082 (msg:"SSLBL: Traffic to malicious host (likely hVNC C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201331; rev:1;) alert tcp $HOME_NET any -> [2.56.59.227] 8083 (msg:"SSLBL: Traffic to malicious host (likely hVNC C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201332; rev:1;) alert tcp $HOME_NET any -> [23.227.202.152] 446 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201333; rev:1;) alert tcp $HOME_NET any -> [23.82.19.235] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201334; rev:1;) alert tcp $HOME_NET any -> [185.195.25.72] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201335; rev:1;) alert tcp $HOME_NET any -> [136.144.41.171] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201336; rev:1;) alert tcp $HOME_NET any -> [2.59.119.75] 8080 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201337; rev:1;) alert tcp $HOME_NET any -> [141.95.6.169] 9404 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201338; rev:1;) alert tcp $HOME_NET any -> [156.146.50.177] 25727 (msg:"SSLBL: Traffic to malicious host (likely DcRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201339; rev:1;) alert tcp $HOME_NET any -> [178.200.180.146] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201340; rev:1;) alert tcp $HOME_NET any -> [154.48.237.186] 8808 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201341; rev:1;) alert tcp $HOME_NET any -> [89.40.13.195] 4908 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201342; rev:1;) alert tcp $HOME_NET any -> [172.94.16.182] 6060 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201343; rev:1;) alert tcp $HOME_NET any -> [194.5.98.33] 55441 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201344; rev:1;) alert tcp $HOME_NET any -> [45.142.215.144] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201345; rev:1;) alert tcp $HOME_NET any -> [103.96.131.29] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201346; rev:1;) alert tcp $HOME_NET any -> [185.222.57.204] 8787 (msg:"SSLBL: Traffic to malicious host (likely Vjw0rm C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201347; rev:1;) alert tcp $HOME_NET any -> [3.138.228.94] 24138 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201348; rev:1;) alert tcp $HOME_NET any -> [107.173.219.111] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201349; rev:1;) alert tcp $HOME_NET any -> [81.31.197.143] 1234 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201350; rev:1;) alert tcp $HOME_NET any -> [87.90.86.173] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201351; rev:1;) alert tcp $HOME_NET any -> [176.159.113.196] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201352; rev:1;) alert tcp $HOME_NET any -> [199.195.253.181] 50721 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201353; rev:1;) alert tcp $HOME_NET any -> [216.108.228.52] 1100 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201354; rev:1;) alert tcp $HOME_NET any -> [185.205.210.40] 1337 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201355; rev:1;) alert tcp $HOME_NET any -> [195.133.95.3] 2874 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201356; rev:1;) alert tcp $HOME_NET any -> [84.252.95.55] 1234 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201357; rev:1;) alert tcp $HOME_NET any -> [79.69.56.209] 8888 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201358; rev:1;) alert tcp $HOME_NET any -> [84.38.129.115] 43147 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201359; rev:1;) alert tcp $HOME_NET any -> [185.53.46.9] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201360; rev:1;) alert tcp $HOME_NET any -> [45.142.212.34] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201361; rev:1;) alert tcp $HOME_NET any -> [194.127.179.131] 6666 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201362; rev:1;) alert tcp $HOME_NET any -> [35.177.17.33] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201363; rev:1;) alert tcp $HOME_NET any -> [194.163.152.240] 4898 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201364; rev:1;) alert tcp $HOME_NET any -> [51.89.194.152] 7777 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201365; rev:1;) alert tcp $HOME_NET any -> [20.98.113.24] 1604 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201366; rev:1;) alert tcp $HOME_NET any -> [178.62.232.196] 443 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201367; rev:1;) alert tcp $HOME_NET any -> [45.76.189.89] 5555 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201368; rev:1;) alert tcp $HOME_NET any -> [136.144.41.83] 4102 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201369; rev:1;) alert tcp $HOME_NET any -> [37.0.11.177] 4444 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201370; rev:1;) alert tcp $HOME_NET any -> [195.85.201.65] 6106 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201371; rev:1;) alert tcp $HOME_NET any -> [212.129.30.248] 6000 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201372; rev:1;) alert tcp $HOME_NET any -> [23.106.223.154] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201373; rev:1;) alert tcp $HOME_NET any -> [45.77.214.96] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201374; rev:1;) alert tcp $HOME_NET any -> [3.138.45.170] 12214 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201375; rev:1;) alert tcp $HOME_NET any -> [5.196.174.49] 433 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201376; rev:1;) alert tcp $HOME_NET any -> [172.67.156.42] 443 (msg:"SSLBL: Traffic to malicious host (likely RedLineStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201377; rev:1;) alert tcp $HOME_NET any -> [2.56.59.239] 7355 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201378; rev:1;) alert tcp $HOME_NET any -> [104.21.64.226] 443 (msg:"SSLBL: Traffic to malicious host (likely RedLineStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201379; rev:1;) alert tcp $HOME_NET any -> [203.159.80.52] 5800 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201380; rev:1;) alert tcp $HOME_NET any -> [103.72.4.163] 27011 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201381; rev:1;) alert tcp $HOME_NET any -> [188.215.229.22] 8900 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201382; rev:1;) alert tcp $HOME_NET any -> [179.43.140.136] 443 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201383; rev:1;) alert tcp $HOME_NET any -> [91.151.88.245] 2070 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201384; rev:1;) alert tcp $HOME_NET any -> [61.69.245.176] 42069 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201385; rev:1;) alert tcp $HOME_NET any -> [20.199.121.197] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201386; rev:1;) alert tcp $HOME_NET any -> [45.146.253.103] 420 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201387; rev:1;) alert tcp $HOME_NET any -> [18.189.143.187] 7777 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201388; rev:1;) alert tcp $HOME_NET any -> [99.75.73.147] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201389; rev:1;) alert tcp $HOME_NET any -> [88.99.219.185] 4041 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201390; rev:1;) alert tcp $HOME_NET any -> [45.137.22.104] 1190 (msg:"SSLBL: Traffic to malicious host (likely Vjw0rm C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201391; rev:1;) alert tcp $HOME_NET any -> [185.33.234.96] 2306 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201392; rev:1;) alert tcp $HOME_NET any -> [47.94.3.159] 4455 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201393; rev:1;) alert tcp $HOME_NET any -> [136.244.94.164] 3132 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201394; rev:1;) alert tcp $HOME_NET any -> [37.0.10.63] 6236 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201395; rev:1;) alert tcp $HOME_NET any -> [91.241.48.250] 2001 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201396; rev:1;) alert tcp $HOME_NET any -> [84.38.129.118] 43413 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201397; rev:1;) alert tcp $HOME_NET any -> [46.166.173.94] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201398; rev:1;) alert tcp $HOME_NET any -> [37.0.11.183] 4444 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201399; rev:1;) alert tcp $HOME_NET any -> [144.126.129.113] 27742 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201400; rev:1;) alert tcp $HOME_NET any -> [179.43.187.144] 1111 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201401; rev:1;) alert tcp $HOME_NET any -> [79.134.225.103] 443 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201402; rev:1;) alert tcp $HOME_NET any -> [179.43.141.103] 1234 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201403; rev:1;) alert tcp $HOME_NET any -> [79.134.225.103] 6443 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201404; rev:1;) alert tcp $HOME_NET any -> [213.152.162.154] 43763 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201405; rev:1;) alert tcp $HOME_NET any -> [13.213.3.159] 8080 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201406; rev:1;) alert tcp $HOME_NET any -> [195.133.40.51] 5867 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201407; rev:1;) alert tcp $HOME_NET any -> [20.197.177.229] 6821 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201408; rev:1;) alert tcp $HOME_NET any -> [45.9.148.138] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201409; rev:1;) alert tcp $HOME_NET any -> [18.133.124.202] 4784 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201410; rev:1;) alert tcp $HOME_NET any -> [37.0.8.220] 161 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201411; rev:1;) alert tcp $HOME_NET any -> [37.0.11.221] 4444 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201412; rev:1;) alert tcp $HOME_NET any -> [179.43.141.119] 2222 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201413; rev:1;) alert tcp $HOME_NET any -> [213.152.162.15] 6751 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201414; rev:1;) alert tcp $HOME_NET any -> [185.215.113.102] 1234 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201415; rev:1;) alert tcp $HOME_NET any -> [85.23.139.64] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201416; rev:1;) alert tcp $HOME_NET any -> [185.157.161.53] 97 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201417; rev:1;) alert tcp $HOME_NET any -> [172.81.61.36] 5656 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201418; rev:1;) alert tcp $HOME_NET any -> [3.131.147.49] 11296 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201419; rev:1;) alert tcp $HOME_NET any -> [184.90.251.249] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201420; rev:1;) alert tcp $HOME_NET any -> [13.53.37.168] 777 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201421; rev:1;) alert tcp $HOME_NET any -> [93.108.180.0] 4444 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201422; rev:1;) alert tcp $HOME_NET any -> [94.60.124.63] 4444 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201423; rev:1;) alert tcp $HOME_NET any -> [5.181.234.150] 9090 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201424; rev:1;) alert tcp $HOME_NET any -> [139.28.218.235] 62316 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201425; rev:1;) alert tcp $HOME_NET any -> [3.21.21.95] 6518 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201426; rev:1;) alert tcp $HOME_NET any -> [145.249.106.195] 7355 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201427; rev:1;) alert tcp $HOME_NET any -> [185.157.161.248] 1975 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201428; rev:1;) alert tcp $HOME_NET any -> [185.163.204.212] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201429; rev:1;) alert tcp $HOME_NET any -> [212.192.246.250] 4480 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201430; rev:1;) alert tcp $HOME_NET any -> [5.253.84.122] 4898 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201431; rev:1;) alert tcp $HOME_NET any -> [179.43.187.188] 4056 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201432; rev:1;) alert tcp $HOME_NET any -> [148.251.67.180] 5505 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201433; rev:1;) alert tcp $HOME_NET any -> [185.163.45.186] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201434; rev:1;) alert tcp $HOME_NET any -> [51.254.31.10] 1718 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201435; rev:1;) alert tcp $HOME_NET any -> [23.105.131.217] 83 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201436; rev:1;) alert tcp $HOME_NET any -> [185.140.53.134] 7565 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201437; rev:1;) alert tcp $HOME_NET any -> [103.195.239.218] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201438; rev:1;) alert tcp $HOME_NET any -> [194.33.45.44] 1414 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201439; rev:1;) alert tcp $HOME_NET any -> [45.147.230.80] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201440; rev:1;) alert tcp $HOME_NET any -> [112.126.60.177] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201441; rev:1;) alert tcp $HOME_NET any -> [194.5.97.107] 8921 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201442; rev:1;) alert tcp $HOME_NET any -> [13.76.94.179] 5555 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201443; rev:1;) alert tcp $HOME_NET any -> [185.244.36.230] 1236 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201444; rev:1;) alert tcp $HOME_NET any -> [115.79.199.11] 4444 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201445; rev:1;) alert tcp $HOME_NET any -> [192.121.245.48] 9083 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201446; rev:1;) alert tcp $HOME_NET any -> [8.39.147.87] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201447; rev:1;) alert tcp $HOME_NET any -> [188.120.251.116] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201448; rev:1;) alert tcp $HOME_NET any -> [194.180.174.56] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201449; rev:1;) alert tcp $HOME_NET any -> [45.153.241.244] 5506 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201450; rev:1;) alert tcp $HOME_NET any -> [31.210.21.114] 1234 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201451; rev:1;) alert tcp $HOME_NET any -> [54.209.199.171] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201452; rev:1;) alert tcp $HOME_NET any -> [194.5.97.94] 7116 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201453; rev:1;) alert tcp $HOME_NET any -> [34.125.20.14] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201454; rev:1;) alert tcp $HOME_NET any -> [79.134.225.90] 4898 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201455; rev:1;) alert tcp $HOME_NET any -> [3.142.129.56] 12750 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201456; rev:1;) alert tcp $HOME_NET any -> [109.248.201.153] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201457; rev:1;) alert tcp $HOME_NET any -> [109.248.201.153] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201458; rev:1;) alert tcp $HOME_NET any -> [37.0.10.19] 5678 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201459; rev:1;) alert tcp $HOME_NET any -> [192.227.128.168] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201460; rev:1;) alert tcp $HOME_NET any -> [79.134.225.71] 3050 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201461; rev:1;) alert tcp $HOME_NET any -> [194.180.174.20] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201462; rev:1;) alert tcp $HOME_NET any -> [43.224.33.42] 8888 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201463; rev:1;) alert tcp $HOME_NET any -> [141.101.134.51] 2703 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201464; rev:1;) alert tcp $HOME_NET any -> [103.140.250.132] 9178 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201465; rev:1;) alert tcp $HOME_NET any -> [147.182.222.233] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201466; rev:1;) alert tcp $HOME_NET any -> [3.139.72.79] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201467; rev:1;) alert tcp $HOME_NET any -> [185.186.244.200] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201468; rev:1;) alert tcp $HOME_NET any -> [203.145.171.102] 9999 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201469; rev:1;) alert tcp $HOME_NET any -> [185.19.85.177] 1981 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201470; rev:1;) alert tcp $HOME_NET any -> [51.75.191.89] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201471; rev:1;) alert tcp $HOME_NET any -> [52.252.234.34] 2222 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201472; rev:1;) alert tcp $HOME_NET any -> [37.0.10.62] 6992 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201473; rev:1;) alert tcp $HOME_NET any -> [5.63.154.248] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201474; rev:1;) alert tcp $HOME_NET any -> [91.109.180.7] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201475; rev:1;) alert tcp $HOME_NET any -> [91.109.190.5] 2002 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201476; rev:1;) alert tcp $HOME_NET any -> [91.121.214.19] 1605 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201477; rev:1;) alert tcp $HOME_NET any -> [213.238.172.124] 1604 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201478; rev:1;) alert tcp $HOME_NET any -> [91.109.180.10] 5490 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201479; rev:1;) alert tcp $HOME_NET any -> [217.146.88.139] 5220 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201480; rev:1;) alert tcp $HOME_NET any -> [213.152.162.170] 55928 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201481; rev:1;) alert tcp $HOME_NET any -> [166.62.33.218] 6624 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201482; rev:1;) alert tcp $HOME_NET any -> [185.157.161.248] 1973 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201483; rev:1;) alert tcp $HOME_NET any -> [185.29.11.39] 1515 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201484; rev:1;) alert tcp $HOME_NET any -> [23.95.13.189] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201485; rev:1;) alert tcp $HOME_NET any -> [194.5.98.105] 2256 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201486; rev:1;) alert tcp $HOME_NET any -> [194.58.108.89] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201487; rev:1;) alert tcp $HOME_NET any -> [8.208.102.114] 80 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201488; rev:1;) alert tcp $HOME_NET any -> [18.185.84.88] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201489; rev:1;) alert tcp $HOME_NET any -> [120.26.87.95] 9999 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201490; rev:1;) alert tcp $HOME_NET any -> [5.181.156.15] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201491; rev:1;) alert tcp $HOME_NET any -> [5.181.156.15] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201492; rev:1;) alert tcp $HOME_NET any -> [8.209.67.224] 80 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201493; rev:1;) alert tcp $HOME_NET any -> [177.126.146.148] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201494; rev:1;) alert tcp $HOME_NET any -> [94.158.245.250] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201495; rev:1;) alert tcp $HOME_NET any -> [31.14.40.172] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201496; rev:1;) alert tcp $HOME_NET any -> [37.0.8.248] 5900 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201497; rev:1;) alert tcp $HOME_NET any -> [37.0.8.248] 18 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201498; rev:1;) alert tcp $HOME_NET any -> [61.14.233.111] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201499; rev:1;) alert tcp $HOME_NET any -> [194.5.97.150] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201500; rev:1;) alert tcp $HOME_NET any -> [45.137.22.58] 1780 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201501; rev:1;) alert tcp $HOME_NET any -> [103.73.64.115] 9700 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201502; rev:1;) alert tcp $HOME_NET any -> [194.5.98.72] 2405 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201503; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 26369 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201504; rev:1;) alert tcp $HOME_NET any -> [37.221.121.20] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201505; rev:1;) alert tcp $HOME_NET any -> [185.140.53.6] 1177 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201506; rev:1;) alert tcp $HOME_NET any -> [143.198.58.231] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201507; rev:1;) alert tcp $HOME_NET any -> [143.198.78.177] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201508; rev:1;) alert tcp $HOME_NET any -> [45.140.17.75] 10443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201509; rev:1;) alert tcp $HOME_NET any -> [185.87.51.159] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201510; rev:1;) alert tcp $HOME_NET any -> [5.180.107.130] 1234 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201511; rev:1;) alert tcp $HOME_NET any -> [91.109.180.8] 25874 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201512; rev:1;) alert tcp $HOME_NET any -> [8.208.27.150] 4550 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201513; rev:1;) alert tcp $HOME_NET any -> [198.244.169.192] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201514; rev:1;) alert tcp $HOME_NET any -> [45.14.50.120] 8808 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201515; rev:1;) alert tcp $HOME_NET any -> [54.37.125.37] 1111 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201516; rev:1;) alert tcp $HOME_NET any -> [77.136.120.46] 4783 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201517; rev:1;) alert tcp $HOME_NET any -> [194.5.97.223] 1981 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201518; rev:1;) alert tcp $HOME_NET any -> [84.38.129.103] 43413 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201519; rev:1;) alert tcp $HOME_NET any -> [162.244.82.93] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201520; rev:1;) alert tcp $HOME_NET any -> [74.201.28.134] 3601 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201521; rev:1;) alert tcp $HOME_NET any -> [5.196.153.54] 4204 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201522; rev:1;) alert tcp $HOME_NET any -> [20.69.152.28] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201523; rev:1;) alert tcp $HOME_NET any -> [20.98.203.218] 8080 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201524; rev:1;) alert tcp $HOME_NET any -> [195.123.233.106] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201525; rev:1;) alert tcp $HOME_NET any -> [13.52.241.196] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201526; rev:1;) alert tcp $HOME_NET any -> [185.244.30.143] 31337 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201527; rev:1;) alert tcp $HOME_NET any -> [52.27.77.148] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201528; rev:1;) alert tcp $HOME_NET any -> [13.52.98.56] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201529; rev:1;) alert tcp $HOME_NET any -> [34.79.1.9] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201530; rev:1;) alert tcp $HOME_NET any -> [216.250.252.218] 5505 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201531; rev:1;) alert tcp $HOME_NET any -> [191.101.130.145] 2880 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201532; rev:1;) alert tcp $HOME_NET any -> [142.44.145.208] 6060 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201533; rev:1;) alert tcp $HOME_NET any -> [45.119.84.166] 3303 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201534; rev:1;) alert tcp $HOME_NET any -> [172.241.29.21] 3389 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201535; rev:1;) alert tcp $HOME_NET any -> [37.0.10.6] 6620 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201536; rev:1;) alert tcp $HOME_NET any -> [45.140.17.74] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201537; rev:1;) alert tcp $HOME_NET any -> [79.134.225.22] 7890 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201538; rev:1;) alert tcp $HOME_NET any -> [185.29.11.40] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201539; rev:1;) alert tcp $HOME_NET any -> [91.109.186.4] 25874 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201540; rev:1;) alert tcp $HOME_NET any -> [212.192.241.41] 6841 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201541; rev:1;) alert tcp $HOME_NET any -> [91.109.190.7] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201542; rev:1;) alert tcp $HOME_NET any -> [211.152.146.87] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201543; rev:1;) alert tcp $HOME_NET any -> [20.52.33.123] 2222 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201544; rev:1;) alert tcp $HOME_NET any -> [80.209.229.141] 4898 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201545; rev:1;) alert tcp $HOME_NET any -> [77.204.204.154] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201546; rev:1;) alert tcp $HOME_NET any -> [213.226.119.176] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201547; rev:1;) alert tcp $HOME_NET any -> [103.147.184.73] 7920 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201548; rev:1;) alert tcp $HOME_NET any -> [212.192.241.19] 4898 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201549; rev:1;) alert tcp $HOME_NET any -> [193.32.219.170] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201550; rev:1;) alert tcp $HOME_NET any -> [147.189.171.186] 1337 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201551; rev:1;) alert tcp $HOME_NET any -> [178.238.8.174] 8848 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201552; rev:1;) alert tcp $HOME_NET any -> [79.134.225.35] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201553; rev:1;) alert tcp $HOME_NET any -> [61.14.233.111] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201554; rev:1;) alert tcp $HOME_NET any -> [185.140.53.192] 1515 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201555; rev:1;) alert tcp $HOME_NET any -> [151.106.56.110] 36000 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201556; rev:1;) alert tcp $HOME_NET any -> [212.129.4.112] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201557; rev:1;) alert tcp $HOME_NET any -> [37.0.8.108] 8080 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201558; rev:1;) alert tcp $HOME_NET any -> [79.134.225.44] 7450 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201559; rev:1;) alert tcp $HOME_NET any -> [82.118.22.1] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201560; rev:1;) alert tcp $HOME_NET any -> [182.186.23.252] 6905 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201561; rev:1;) alert tcp $HOME_NET any -> [35.223.81.165] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201562; rev:1;) alert tcp $HOME_NET any -> [79.134.225.52] 600 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201563; rev:1;) alert tcp $HOME_NET any -> [185.87.51.159] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201564; rev:1;) alert tcp $HOME_NET any -> [185.14.31.245] 443 (msg:"SSLBL: Traffic to malicious host (likely RedLineStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201565; rev:1;) alert tcp $HOME_NET any -> [142.4.200.50] 1234 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201566; rev:1;) alert tcp $HOME_NET any -> [37.0.11.99] 6620 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201567; rev:1;) alert tcp $HOME_NET any -> [74.201.28.32] 5506 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201568; rev:1;) alert tcp $HOME_NET any -> [20.88.54.36] 2222 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201569; rev:1;) alert tcp $HOME_NET any -> [211.152.146.73] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201570; rev:1;) alert tcp $HOME_NET any -> [94.158.245.113] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201571; rev:1;) alert tcp $HOME_NET any -> [203.205.191.21] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201572; rev:1;) alert tcp $HOME_NET any -> [91.216.190.111] 4433 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201573; rev:1;) alert tcp $HOME_NET any -> [54.185.45.48] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201574; rev:1;) alert tcp $HOME_NET any -> [185.244.30.28] 4898 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201575; rev:1;) alert tcp $HOME_NET any -> [35.165.197.209] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201576; rev:1;) alert tcp $HOME_NET any -> [3.101.57.185] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201577; rev:1;) alert tcp $HOME_NET any -> [178.79.130.185] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201578; rev:1;) alert tcp $HOME_NET any -> [160.176.133.93] 66 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201579; rev:1;) alert tcp $HOME_NET any -> [185.64.106.64] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201580; rev:1;) alert tcp $HOME_NET any -> [91.109.180.3] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201581; rev:1;) alert tcp $HOME_NET any -> [91.109.190.9] 25874 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201582; rev:1;) alert tcp $HOME_NET any -> [45.155.205.208] 8443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201583; rev:1;) alert tcp $HOME_NET any -> [45.195.8.100] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201584; rev:1;) alert tcp $HOME_NET any -> [67.242.2.35] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201585; rev:1;) alert tcp $HOME_NET any -> [67.242.2.35] 8808 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201586; rev:1;) alert tcp $HOME_NET any -> [194.5.98.15] 5162 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201587; rev:1;) alert tcp $HOME_NET any -> [91.193.75.202] 11011 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201588; rev:1;) alert tcp $HOME_NET any -> [37.0.8.191] 55714 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201589; rev:1;) alert tcp $HOME_NET any -> [80.253.247.232] 1638 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201590; rev:1;) alert tcp $HOME_NET any -> [185.163.45.90] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201591; rev:1;) alert tcp $HOME_NET any -> [13.56.160.68] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201592; rev:1;) alert tcp $HOME_NET any -> [18.237.106.160] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201593; rev:1;) alert tcp $HOME_NET any -> [185.244.30.19] 1120 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201594; rev:1;) alert tcp $HOME_NET any -> [103.158.190.58] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201595; rev:1;) alert tcp $HOME_NET any -> [91.109.190.4] 25874 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201596; rev:1;) alert tcp $HOME_NET any -> [37.0.8.93] 7050 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201597; rev:1;) alert tcp $HOME_NET any -> [188.34.203.105] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201598; rev:1;) alert tcp $HOME_NET any -> [105.155.110.220] 66 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201599; rev:1;) alert tcp $HOME_NET any -> [188.255.114.14] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201600; rev:1;) alert tcp $HOME_NET any -> [107.182.237.15] 55736 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201601; rev:1;) alert tcp $HOME_NET any -> [212.192.241.89] 3309 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201602; rev:1;) alert tcp $HOME_NET any -> [51.38.19.195] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201603; rev:1;) alert tcp $HOME_NET any -> [45.147.198.125] 8848 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201604; rev:1;) alert tcp $HOME_NET any -> [103.150.8.21] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201605; rev:1;) alert tcp $HOME_NET any -> [37.120.206.86] 1738 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201606; rev:1;) alert tcp $HOME_NET any -> [37.0.11.45] 448 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201607; rev:1;) alert tcp $HOME_NET any -> [20.80.51.178] 2222 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201608; rev:1;) alert tcp $HOME_NET any -> [134.195.89.8] 6666 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201609; rev:1;) alert tcp $HOME_NET any -> [73.138.124.217] 8808 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201610; rev:1;) alert tcp $HOME_NET any -> [185.140.53.194] 1002 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201611; rev:1;) alert tcp $HOME_NET any -> [37.0.11.215] 6666 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201612; rev:1;) alert tcp $HOME_NET any -> [79.134.225.22] 7734 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201613; rev:1;) alert tcp $HOME_NET any -> [193.239.85.45] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201614; rev:1;) alert tcp $HOME_NET any -> [45.15.143.171] 5506 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201615; rev:1;) alert tcp $HOME_NET any -> [198.23.212.148] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201616; rev:1;) alert tcp $HOME_NET any -> [142.202.189.75] 4040 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201617; rev:1;) alert tcp $HOME_NET any -> [3.137.146.78] 777 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201618; rev:1;) alert tcp $HOME_NET any -> [37.0.8.20] 2222 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201619; rev:1;) alert tcp $HOME_NET any -> [2.56.59.48] 7355 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201620; rev:1;) alert tcp $HOME_NET any -> [162.244.82.93] 2222 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201621; rev:1;) alert tcp $HOME_NET any -> [3.137.146.78] 6666 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201622; rev:1;) alert tcp $HOME_NET any -> [172.94.109.9] 2703 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201623; rev:1;) alert tcp $HOME_NET any -> [121.107.159.240] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201624; rev:1;) alert tcp $HOME_NET any -> [211.152.146.86] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201625; rev:1;) alert tcp $HOME_NET any -> [211.152.136.71] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201626; rev:1;) alert tcp $HOME_NET any -> [101.33.11.48] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201627; rev:1;) alert tcp $HOME_NET any -> [54.219.112.13] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201628; rev:1;) alert tcp $HOME_NET any -> [167.179.64.216] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201629; rev:1;) alert tcp $HOME_NET any -> [34.213.41.242] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201630; rev:1;) alert tcp $HOME_NET any -> [147.189.170.240] 6666 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201631; rev:1;) alert tcp $HOME_NET any -> [172.67.160.253] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201632; rev:1;) alert tcp $HOME_NET any -> [192.121.245.44] 9088 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201633; rev:1;) alert tcp $HOME_NET any -> [20.151.200.9] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201634; rev:1;) alert tcp $HOME_NET any -> [94.156.35.37] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201635; rev:1;) alert tcp $HOME_NET any -> [77.247.127.177] 6666 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201636; rev:1;) alert tcp $HOME_NET any -> [106.52.168.175] 4782 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201637; rev:1;) alert tcp $HOME_NET any -> [179.43.175.71] 4444 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201638; rev:1;) alert tcp $HOME_NET any -> [185.157.161.63] 1973 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201639; rev:1;) alert tcp $HOME_NET any -> [91.109.178.7] 5490 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201640; rev:1;) alert tcp $HOME_NET any -> [173.44.50.139] 58440 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201641; rev:1;) alert tcp $HOME_NET any -> [37.0.8.17] 46422 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201642; rev:1;) alert tcp $HOME_NET any -> [185.163.47.171] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201643; rev:1;) alert tcp $HOME_NET any -> [37.0.11.118] 5423 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201644; rev:1;) alert tcp $HOME_NET any -> [142.202.190.36] 4040 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201645; rev:1;) alert tcp $HOME_NET any -> [185.215.113.213] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201646; rev:1;) alert tcp $HOME_NET any -> [193.169.105.94] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201647; rev:1;) alert tcp $HOME_NET any -> [37.61.205.212] 8443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201648; rev:1;) alert tcp $HOME_NET any -> [185.153.222.198] 6471 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201649; rev:1;) alert tcp $HOME_NET any -> [18.224.165.22] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201650; rev:1;) alert tcp $HOME_NET any -> [3.223.125.168] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201651; rev:1;) alert tcp $HOME_NET any -> [45.153.230.139] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201652; rev:1;) alert tcp $HOME_NET any -> [20.80.30.45] 2222 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201653; rev:1;) alert tcp $HOME_NET any -> [185.19.85.168] 8888 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201654; rev:1;) alert tcp $HOME_NET any -> [45.90.58.179] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201655; rev:1;) alert tcp $HOME_NET any -> [217.12.221.28] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201656; rev:1;) alert tcp $HOME_NET any -> [139.99.126.75] 92 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201657; rev:1;) alert tcp $HOME_NET any -> [167.99.117.21] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201658; rev:1;) alert tcp $HOME_NET any -> [194.5.98.5] 1604 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201659; rev:1;) alert tcp $HOME_NET any -> [1.15.227.181] 9998 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201660; rev:1;) alert tcp $HOME_NET any -> [101.33.11.29] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201661; rev:1;) alert tcp $HOME_NET any -> [185.244.26.213] 9872 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201662; rev:1;) alert tcp $HOME_NET any -> [91.109.180.4] 2002 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201663; rev:1;) alert tcp $HOME_NET any -> [79.134.225.27] 5821 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201664; rev:1;) alert tcp $HOME_NET any -> [91.109.190.3] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201665; rev:1;) alert tcp $HOME_NET any -> [185.29.11.26] 443 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201666; rev:1;) alert tcp $HOME_NET any -> [193.29.104.186] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201667; rev:1;) alert tcp $HOME_NET any -> [91.193.75.199] 11011 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201668; rev:1;) alert tcp $HOME_NET any -> [185.163.45.132] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201669; rev:1;) alert tcp $HOME_NET any -> [79.134.225.105] 12123 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201670; rev:1;) alert tcp $HOME_NET any -> [185.163.45.103] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201671; rev:1;) alert tcp $HOME_NET any -> [45.144.154.150] 5900 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201672; rev:1;) alert tcp $HOME_NET any -> [112.154.0.240] 3176 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201673; rev:1;) alert tcp $HOME_NET any -> [45.86.163.188] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201674; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 25358 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201675; rev:1;) alert tcp $HOME_NET any -> [203.23.128.143] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201676; rev:1;) alert tcp $HOME_NET any -> [5.189.188.138] 4898 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201677; rev:1;) alert tcp $HOME_NET any -> [172.94.109.19] 2703 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201678; rev:1;) alert tcp $HOME_NET any -> [91.109.190.12] 5490 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201679; rev:1;) alert tcp $HOME_NET any -> [135.148.134.17] 8080 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201680; rev:1;) alert tcp $HOME_NET any -> [18.116.230.222] 8787 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201681; rev:1;) alert tcp $HOME_NET any -> [195.133.40.6] 55714 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201682; rev:1;) alert tcp $HOME_NET any -> [45.147.231.41] 5001 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201683; rev:1;) alert tcp $HOME_NET any -> [39.108.60.64] 4443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201684; rev:1;) alert tcp $HOME_NET any -> [206.188.196.143] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201685; rev:1;) alert tcp $HOME_NET any -> [204.16.247.104] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201686; rev:1;) alert tcp $HOME_NET any -> [1.117.154.185] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201687; rev:1;) alert tcp $HOME_NET any -> [194.29.101.219] 9700 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201688; rev:1;) alert tcp $HOME_NET any -> [31.7.63.14] 8957 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201689; rev:1;) alert tcp $HOME_NET any -> [37.0.11.164] 9174 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201690; rev:1;) alert tcp $HOME_NET any -> [216.250.254.208] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201691; rev:1;) alert tcp $HOME_NET any -> [2.56.59.82] 6992 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201692; rev:1;) alert tcp $HOME_NET any -> [185.225.19.100] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201693; rev:1;) alert tcp $HOME_NET any -> [101.33.10.114] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201694; rev:1;) alert tcp $HOME_NET any -> [95.179.142.67] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201695; rev:1;) alert tcp $HOME_NET any -> [23.81.246.58] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201696; rev:1;) alert tcp $HOME_NET any -> [185.140.53.137] 5541 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201697; rev:1;) alert tcp $HOME_NET any -> [209.54.104.73] 8558 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201698; rev:1;) alert tcp $HOME_NET any -> [91.109.190.4] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201699; rev:1;) alert tcp $HOME_NET any -> [91.109.176.4] 5490 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201700; rev:1;) alert tcp $HOME_NET any -> [37.221.121.20] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201701; rev:1;) alert tcp $HOME_NET any -> [167.179.90.23] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201702; rev:1;) alert tcp $HOME_NET any -> [74.201.28.127] 9070 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201703; rev:1;) alert tcp $HOME_NET any -> [52.170.189.162] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201704; rev:1;) alert tcp $HOME_NET any -> [45.158.15.231] 1453 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201705; rev:1;) alert tcp $HOME_NET any -> [194.76.226.201] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201706; rev:1;) alert tcp $HOME_NET any -> [51.81.191.248] 1281 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201707; rev:1;) alert tcp $HOME_NET any -> [45.144.154.150] 4784 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201708; rev:1;) alert tcp $HOME_NET any -> [107.150.23.186] 8808 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201709; rev:1;) alert tcp $HOME_NET any -> [52.170.189.162] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201710; rev:1;) alert tcp $HOME_NET any -> [31.210.20.167] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201711; rev:1;) alert tcp $HOME_NET any -> [206.166.251.144] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201712; rev:1;) alert tcp $HOME_NET any -> [185.140.53.8] 6060 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201713; rev:1;) alert tcp $HOME_NET any -> [79.134.225.36] 7570 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201714; rev:1;) alert tcp $HOME_NET any -> [74.201.28.60] 4296 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201715; rev:1;) alert tcp $HOME_NET any -> [81.68.105.177] 8848 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201716; rev:1;) alert tcp $HOME_NET any -> [194.5.98.207] 672 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201717; rev:1;) alert tcp $HOME_NET any -> [45.61.137.91] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201718; rev:1;) alert tcp $HOME_NET any -> [8.140.7.162] 48081 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201719; rev:1;) alert tcp $HOME_NET any -> [5.230.84.38] 2222 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201720; rev:1;) alert tcp $HOME_NET any -> [185.193.126.226] 8088 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201721; rev:1;) alert tcp $HOME_NET any -> [14.241.72.25] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201722; rev:1;) alert tcp $HOME_NET any -> [185.157.162.119] 57436 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201723; rev:1;) alert tcp $HOME_NET any -> [20.184.2.45] 9208 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201724; rev:1;) alert tcp $HOME_NET any -> [185.244.30.184] 9872 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201725; rev:1;) alert tcp $HOME_NET any -> [54.233.121.202] 8282 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201726; rev:1;) alert tcp $HOME_NET any -> [91.109.190.2] 5490 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201727; rev:1;) alert tcp $HOME_NET any -> [45.119.84.166] 5505 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201728; rev:1;) alert tcp $HOME_NET any -> [185.163.45.87] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201729; rev:1;) alert tcp $HOME_NET any -> [185.158.113.59] 45324 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201730; rev:1;) alert tcp $HOME_NET any -> [3.143.239.116] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201731; rev:1;) alert tcp $HOME_NET any -> [122.228.4.229] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201732; rev:1;) alert tcp $HOME_NET any -> [206.188.197.49] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201733; rev:1;) alert tcp $HOME_NET any -> [40.118.53.192] 1337 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201734; rev:1;) alert tcp $HOME_NET any -> [196.77.30.93] 66 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201735; rev:1;) alert tcp $HOME_NET any -> [104.154.231.62] 5050 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201736; rev:1;) alert tcp $HOME_NET any -> [37.221.121.20] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201737; rev:1;) alert tcp $HOME_NET any -> [203.159.80.216] 8080 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201738; rev:1;) alert tcp $HOME_NET any -> [185.244.26.233] 1169 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201739; rev:1;) alert tcp $HOME_NET any -> [18.215.78.203] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201740; rev:1;) alert tcp $HOME_NET any -> [167.99.96.32] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201741; rev:1;) alert tcp $HOME_NET any -> [2.56.59.72] 9264 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201742; rev:1;) alert tcp $HOME_NET any -> [95.111.241.233] 4563 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201743; rev:1;) alert tcp $HOME_NET any -> [185.65.134.182] 15888 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201744; rev:1;) alert tcp $HOME_NET any -> [178.154.244.45] 666 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201745; rev:1;) alert tcp $HOME_NET any -> [91.109.176.5] 5490 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201746; rev:1;) alert tcp $HOME_NET any -> [195.133.40.84] 9521 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201747; rev:1;) alert tcp $HOME_NET any -> [103.151.125.18] 1234 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201748; rev:1;) alert tcp $HOME_NET any -> [185.222.57.254] 2040 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201749; rev:1;) alert tcp $HOME_NET any -> [158.69.138.23] 9909 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201750; rev:1;) alert tcp $HOME_NET any -> [34.238.192.43] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201751; rev:1;) alert tcp $HOME_NET any -> [31.7.63.14] 38294 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201752; rev:1;) alert tcp $HOME_NET any -> [176.98.41.115] 1938 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201753; rev:1;) alert tcp $HOME_NET any -> [91.109.188.6] 5490 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201754; rev:1;) alert tcp $HOME_NET any -> [136.144.41.46] 2222 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201755; rev:1;) alert tcp $HOME_NET any -> [139.99.126.75] 91 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201756; rev:1;) alert tcp $HOME_NET any -> [45.61.137.250] 4898 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201757; rev:1;) alert tcp $HOME_NET any -> [45.144.154.150] 59 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201758; rev:1;) alert tcp $HOME_NET any -> [195.133.40.220] 6992 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201759; rev:1;) alert tcp $HOME_NET any -> [45.155.173.48] 5072 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201760; rev:1;) alert tcp $HOME_NET any -> [121.182.123.212] 443 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201761; rev:1;) alert tcp $HOME_NET any -> [91.193.75.135] 2256 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201762; rev:1;) alert tcp $HOME_NET any -> [54.37.191.165] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201763; rev:1;) alert tcp $HOME_NET any -> [23.105.131.239] 3861 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201764; rev:1;) alert tcp $HOME_NET any -> [20.98.18.253] 2222 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201765; rev:1;) alert tcp $HOME_NET any -> [95.141.215.167] 9009 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201766; rev:1;) alert tcp $HOME_NET any -> [52.221.201.97] 4444 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201767; rev:1;) alert tcp $HOME_NET any -> [185.222.57.233] 2059 (msg:"SSLBL: Traffic to malicious host (likely NanoCore C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201768; rev:1;) alert tcp $HOME_NET any -> [23.19.227.243] 5505 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201769; rev:1;) alert tcp $HOME_NET any -> [37.120.222.161] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201770; rev:1;) alert tcp $HOME_NET any -> [37.120.222.160] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201771; rev:1;) alert tcp $HOME_NET any -> [158.69.138.23] 5505 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201772; rev:1;) alert tcp $HOME_NET any -> [199.195.253.181] 5200 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201773; rev:1;) alert tcp $HOME_NET any -> [194.5.98.189] 672 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201774; rev:1;) alert tcp $HOME_NET any -> [213.238.172.95] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201775; rev:1;) alert tcp $HOME_NET any -> [37.221.122.76] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201776; rev:1;) alert tcp $HOME_NET any -> [51.89.107.168] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201777; rev:1;) alert tcp $HOME_NET any -> [206.188.196.131] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201778; rev:1;) alert tcp $HOME_NET any -> [212.192.241.59] 4898 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201779; rev:1;) alert tcp $HOME_NET any -> [172.94.109.13] 2703 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201780; rev:1;) alert tcp $HOME_NET any -> [207.32.218.49] 6666 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201781; rev:1;) alert tcp $HOME_NET any -> [139.28.5.19] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201782; rev:1;) alert tcp $HOME_NET any -> [45.131.1.70] 1604 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201783; rev:1;) alert tcp $HOME_NET any -> [178.238.8.135] 4898 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201784; rev:1;) alert tcp $HOME_NET any -> [178.154.244.45] 777 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201785; rev:1;) alert tcp $HOME_NET any -> [178.154.244.45] 2 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201786; rev:1;) alert tcp $HOME_NET any -> [178.20.44.191] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201787; rev:1;) alert tcp $HOME_NET any -> [89.45.6.74] 56060 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201788; rev:1;) alert tcp $HOME_NET any -> [178.154.244.45] 1 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201789; rev:1;) alert tcp $HOME_NET any -> [217.64.151.123] 65431 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201790; rev:1;) alert tcp $HOME_NET any -> [134.122.84.252] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201791; rev:1;) alert tcp $HOME_NET any -> [47.102.37.135] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201792; rev:1;) alert tcp $HOME_NET any -> [193.32.232.64] 7777 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201793; rev:1;) alert tcp $HOME_NET any -> [20.80.31.89] 2222 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201794; rev:1;) alert tcp $HOME_NET any -> [212.192.241.225] 5215 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201795; rev:1;) alert tcp $HOME_NET any -> [45.144.154.150] 18 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201796; rev:1;) alert tcp $HOME_NET any -> [212.114.52.180] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201797; rev:1;) alert tcp $HOME_NET any -> [108.62.118.247] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201798; rev:1;) alert tcp $HOME_NET any -> [45.147.45.184] 1604 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201799; rev:1;) alert tcp $HOME_NET any -> [18.117.142.49] 2 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201800; rev:1;) alert tcp $HOME_NET any -> [212.192.241.9] 4455 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201801; rev:1;) alert tcp $HOME_NET any -> [209.126.85.216] 9632 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201802; rev:1;) alert tcp $HOME_NET any -> [95.217.123.5] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201803; rev:1;) alert tcp $HOME_NET any -> [20.199.112.16] 3535 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201804; rev:1;) alert tcp $HOME_NET any -> [216.250.249.156] 1465 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201805; rev:1;) alert tcp $HOME_NET any -> [139.99.126.75] 90 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201806; rev:1;) alert tcp $HOME_NET any -> [192.161.51.191] 8443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201807; rev:1;) alert tcp $HOME_NET any -> [34.216.7.40] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201808; rev:1;) alert tcp $HOME_NET any -> [13.57.228.91] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201809; rev:1;) alert tcp $HOME_NET any -> [91.134.183.121] 4500 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201810; rev:1;) alert tcp $HOME_NET any -> [213.152.161.244] 52090 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201811; rev:1;) alert tcp $HOME_NET any -> [138.124.183.144] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201812; rev:1;) alert tcp $HOME_NET any -> [103.151.123.2] 8621 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201813; rev:1;) alert tcp $HOME_NET any -> [103.140.251.225] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201814; rev:1;) alert tcp $HOME_NET any -> [199.195.253.181] 9700 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201815; rev:1;) alert tcp $HOME_NET any -> [138.68.66.197] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201816; rev:1;) alert tcp $HOME_NET any -> [173.44.50.141] 63753 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201817; rev:1;) alert tcp $HOME_NET any -> [136.144.41.246] 43360 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201818; rev:1;) alert tcp $HOME_NET any -> [185.100.84.208] 443 (msg:"SSLBL: Traffic to malicious host (likely AceRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201819; rev:1;) alert tcp $HOME_NET any -> [115.78.134.34] 6606 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201820; rev:1;) alert tcp $HOME_NET any -> [176.98.41.49] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201821; rev:1;) alert tcp $HOME_NET any -> [136.144.41.204] 5506 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201822; rev:1;) alert tcp $HOME_NET any -> [20.80.15.232] 2222 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201823; rev:1;) alert tcp $HOME_NET any -> [194.180.174.41] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201824; rev:1;) alert tcp $HOME_NET any -> [106.15.50.19] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201825; rev:1;) alert tcp $HOME_NET any -> [212.192.241.252] 9264 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201826; rev:1;) alert tcp $HOME_NET any -> [3.68.95.191] 1604 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201827; rev:1;) alert tcp $HOME_NET any -> [2.56.212.226] 443 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201828; rev:1;) alert tcp $HOME_NET any -> [45.63.93.115] 4489 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201829; rev:1;) alert tcp $HOME_NET any -> [46.243.150.151] 38259 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201830; rev:1;) alert tcp $HOME_NET any -> [158.69.138.23] 4404 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201831; rev:1;) alert tcp $HOME_NET any -> [47.111.13.98] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201832; rev:1;) alert tcp $HOME_NET any -> [31.210.21.21] 43360 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201833; rev:1;) alert tcp $HOME_NET any -> [185.186.244.62] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201834; rev:1;) alert tcp $HOME_NET any -> [216.128.183.103] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201835; rev:1;) alert tcp $HOME_NET any -> [91.241.51.141] 2221 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201836; rev:1;) alert tcp $HOME_NET any -> [79.134.225.89] 1991 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201837; rev:1;) alert tcp $HOME_NET any -> [129.151.100.167] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201838; rev:1;) alert tcp $HOME_NET any -> [52.250.60.164] 6821 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201839; rev:1;) alert tcp $HOME_NET any -> [193.169.254.216] 6464 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201840; rev:1;) alert tcp $HOME_NET any -> [152.89.247.208] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201841; rev:1;) alert tcp $HOME_NET any -> [217.165.81.72] 26597 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201842; rev:1;) alert tcp $HOME_NET any -> [160.20.147.106] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201843; rev:1;) alert tcp $HOME_NET any -> [152.89.247.228] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201844; rev:1;) alert tcp $HOME_NET any -> [41.102.231.123] 300 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201845; rev:1;) alert tcp $HOME_NET any -> [103.72.4.166] 8443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201846; rev:1;) alert tcp $HOME_NET any -> [157.230.255.179] 5555 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201847; rev:1;) alert tcp $HOME_NET any -> [45.138.157.202] 25565 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201848; rev:1;) alert tcp $HOME_NET any -> [136.144.41.4] 4771 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201849; rev:1;) alert tcp $HOME_NET any -> [3.18.3.168] 963 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201850; rev:1;) alert tcp $HOME_NET any -> [194.5.97.241] 8921 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201851; rev:1;) alert tcp $HOME_NET any -> [212.192.241.42] 4488 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201852; rev:1;) alert tcp $HOME_NET any -> [199.249.230.2] 61653 (msg:"SSLBL: Traffic to malicious host (likely NanoCore C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201853; rev:1;) alert tcp $HOME_NET any -> [103.89.91.38] 3390 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201854; rev:1;) alert tcp $HOME_NET any -> [91.109.182.3] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201855; rev:1;) alert tcp $HOME_NET any -> [46.243.221.18] 2703 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201856; rev:1;) alert tcp $HOME_NET any -> [185.244.26.234] 4675 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201857; rev:1;) alert tcp $HOME_NET any -> [216.230.75.62] 1107 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201858; rev:1;) alert tcp $HOME_NET any -> [158.247.218.177] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201859; rev:1;) alert tcp $HOME_NET any -> [46.243.221.18] 49746 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201860; rev:1;) alert tcp $HOME_NET any -> [45.32.120.24] 777 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201861; rev:1;) alert tcp $HOME_NET any -> [158.69.138.23] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201862; rev:1;) alert tcp $HOME_NET any -> [185.244.26.223] 7551 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201863; rev:1;) alert tcp $HOME_NET any -> [193.183.217.83] 5687 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201864; rev:1;) alert tcp $HOME_NET any -> [158.69.138.23] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201865; rev:1;) alert tcp $HOME_NET any -> [188.166.0.235] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201866; rev:1;) alert tcp $HOME_NET any -> [103.149.13.196] 8621 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201867; rev:1;) alert tcp $HOME_NET any -> [176.58.61.217] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201868; rev:1;) alert tcp $HOME_NET any -> [45.155.124.118] 2461 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201869; rev:1;) alert tcp $HOME_NET any -> [212.192.241.187] 5520 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201870; rev:1;) alert tcp $HOME_NET any -> [82.118.22.204] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201871; rev:1;) alert tcp $HOME_NET any -> [82.118.23.74] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201872; rev:1;) alert tcp $HOME_NET any -> [5.180.104.57] 4784 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201873; rev:1;) alert tcp $HOME_NET any -> [84.38.134.66] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201874; rev:1;) alert tcp $HOME_NET any -> [45.156.84.158] 1177 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201875; rev:1;) alert tcp $HOME_NET any -> [185.136.169.163] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201876; rev:1;) alert tcp $HOME_NET any -> [185.136.169.163] 3480 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201877; rev:1;) alert tcp $HOME_NET any -> [185.136.169.109] 3480 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201878; rev:1;) alert tcp $HOME_NET any -> [173.44.55.155] 52090 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201879; rev:1;) alert tcp $HOME_NET any -> [79.134.225.69] 7551 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201880; rev:1;) alert tcp $HOME_NET any -> [45.15.143.199] 5353 (msg:"SSLBL: Traffic to malicious host (likely DCRat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201881; rev:1;) alert tcp $HOME_NET any -> [89.182.63.182] 3601 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201882; rev:1;) alert tcp $HOME_NET any -> [212.192.241.95] 45001 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201883; rev:1;) alert tcp $HOME_NET any -> [194.5.97.146] 8850 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201884; rev:1;) alert tcp $HOME_NET any -> [77.247.110.131] 8765 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201885; rev:1;) alert tcp $HOME_NET any -> [195.123.235.25] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201886; rev:1;) alert tcp $HOME_NET any -> [106.55.51.55] 5443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201887; rev:1;) alert tcp $HOME_NET any -> [5.181.80.120] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201888; rev:1;) alert tcp $HOME_NET any -> [185.239.243.112] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201889; rev:1;) alert tcp $HOME_NET any -> [185.206.144.26] 5505 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201890; rev:1;) alert tcp $HOME_NET any -> [45.133.1.212] 50855 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201891; rev:1;) alert tcp $HOME_NET any -> [185.29.9.47] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201892; rev:1;) alert tcp $HOME_NET any -> [194.5.98.8] 3030 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201893; rev:1;) alert tcp $HOME_NET any -> [23.105.131.195] 49645 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201894; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 45642 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201895; rev:1;) alert tcp $HOME_NET any -> [174.138.22.216] 443 (msg:"SSLBL: Traffic to malicious host (likely CloudStalker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201896; rev:1;) alert tcp $HOME_NET any -> [82.118.22.247] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201897; rev:1;) alert tcp $HOME_NET any -> [101.33.11.110] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201898; rev:1;) alert tcp $HOME_NET any -> [91.109.186.11] 5490 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201899; rev:1;) alert tcp $HOME_NET any -> [45.134.225.35] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201900; rev:1;) alert tcp $HOME_NET any -> [147.124.214.14] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201901; rev:1;) alert tcp $HOME_NET any -> [79.142.76.244] 43147 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201902; rev:1;) alert tcp $HOME_NET any -> [185.29.9.47] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201903; rev:1;) alert tcp $HOME_NET any -> [31.210.21.188] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201904; rev:1;) alert tcp $HOME_NET any -> [160.177.85.21] 66 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201905; rev:1;) alert tcp $HOME_NET any -> [34.195.49.202] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201906; rev:1;) alert tcp $HOME_NET any -> [95.211.26.199] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201907; rev:1;) alert tcp $HOME_NET any -> [104.236.60.185] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201908; rev:1;) alert tcp $HOME_NET any -> [20.98.2.6] 2222 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201909; rev:1;) alert tcp $HOME_NET any -> [89.182.137.33] 3601 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201910; rev:1;) alert tcp $HOME_NET any -> [23.105.131.173] 5436 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201911; rev:1;) alert tcp $HOME_NET any -> [207.32.218.84] 6666 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201912; rev:1;) alert tcp $HOME_NET any -> [95.142.40.241] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot malware distribution traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201913; rev:1;) alert tcp $HOME_NET any -> [95.142.40.220] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot malware distribution traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201914; rev:1;) alert tcp $HOME_NET any -> [185.250.204.130] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201915; rev:1;) alert tcp $HOME_NET any -> [185.250.204.130] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware distribution traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201916; rev:1;) alert tcp $HOME_NET any -> [185.19.85.168] 5946 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201917; rev:1;) alert tcp $HOME_NET any -> [194.5.98.180] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201918; rev:1;) alert tcp $HOME_NET any -> [18.162.200.0] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201919; rev:1;) alert tcp $HOME_NET any -> [147.124.219.204] 3303 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201920; rev:1;) alert tcp $HOME_NET any -> [89.182.123.92] 3601 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201921; rev:1;) alert tcp $HOME_NET any -> [46.21.153.207] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201922; rev:1;) alert tcp $HOME_NET any -> [89.248.173.43] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201923; rev:1;) alert tcp $HOME_NET any -> [79.134.225.18] 2455 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201924; rev:1;) alert tcp $HOME_NET any -> [185.22.172.34] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201925; rev:1;) alert tcp $HOME_NET any -> [207.32.217.131] 6666 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201926; rev:1;) alert tcp $HOME_NET any -> [207.32.219.26] 6666 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201927; rev:1;) alert tcp $HOME_NET any -> [156.247.13.254] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201928; rev:1;) alert tcp $HOME_NET any -> [45.113.1.17] 4435 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201929; rev:1;) alert tcp $HOME_NET any -> [185.51.246.83] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201930; rev:1;) alert tcp $HOME_NET any -> [164.68.122.235] 2021 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201931; rev:1;) alert tcp $HOME_NET any -> [51.81.105.225] 1177 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201932; rev:1;) alert tcp $HOME_NET any -> [101.33.11.25] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201933; rev:1;) alert tcp $HOME_NET any -> [45.87.0.187] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201934; rev:1;) alert tcp $HOME_NET any -> [93.115.21.128] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201935; rev:1;) alert tcp $HOME_NET any -> [194.5.98.145] 2405 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201936; rev:1;) alert tcp $HOME_NET any -> [104.208.31.182] 2222 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201937; rev:1;) alert tcp $HOME_NET any -> [135.148.12.151] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201938; rev:1;) alert tcp $HOME_NET any -> [203.159.80.37] 4972 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201939; rev:1;) alert tcp $HOME_NET any -> [104.223.76.176] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201940; rev:1;) alert tcp $HOME_NET any -> [213.142.159.41] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201941; rev:1;) alert tcp $HOME_NET any -> [158.69.189.97] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201942; rev:1;) alert tcp $HOME_NET any -> [203.159.80.177] 5025 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201943; rev:1;) alert tcp $HOME_NET any -> [5.181.156.140] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201944; rev:1;) alert tcp $HOME_NET any -> [45.138.157.144] 25565 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201945; rev:1;) alert tcp $HOME_NET any -> [46.183.220.49] 46422 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201946; rev:1;) alert tcp $HOME_NET any -> [46.183.220.49] 6578 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201947; rev:1;) alert tcp $HOME_NET any -> [136.243.191.199] 5900 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201948; rev:1;) alert tcp $HOME_NET any -> [101.33.11.88] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201949; rev:1;) alert tcp $HOME_NET any -> [179.13.6.240] 8057 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201950; rev:1;) alert tcp $HOME_NET any -> [89.182.88.61] 3601 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201951; rev:1;) alert tcp $HOME_NET any -> [79.134.225.75] 7739 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201952; rev:1;) alert tcp $HOME_NET any -> [81.163.246.9] 5020 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201953; rev:1;) alert tcp $HOME_NET any -> [79.134.225.75] 2050 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201954; rev:1;) alert tcp $HOME_NET any -> [147.124.219.204] 9909 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201955; rev:1;) alert tcp $HOME_NET any -> [185.157.161.205] 1973 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201956; rev:1;) alert tcp $HOME_NET any -> [185.157.161.205] 1975 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201957; rev:1;) alert tcp $HOME_NET any -> [35.197.240.92] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201958; rev:1;) alert tcp $HOME_NET any -> [31.44.185.19] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201959; rev:1;) alert tcp $HOME_NET any -> [185.50.248.49] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201960; rev:1;) alert tcp $HOME_NET any -> [31.44.185.24] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201961; rev:1;) alert tcp $HOME_NET any -> [1.15.79.166] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201962; rev:1;) alert tcp $HOME_NET any -> [31.210.21.188] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201963; rev:1;) alert tcp $HOME_NET any -> [1.15.128.150] 60001 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201964; rev:1;) alert tcp $HOME_NET any -> [139.99.178.86] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201965; rev:1;) alert tcp $HOME_NET any -> [104.43.200.50] 2222 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201966; rev:1;) alert tcp $HOME_NET any -> [31.210.21.188] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201967; rev:1;) alert tcp $HOME_NET any -> [42.194.199.231] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201968; rev:1;) alert tcp $HOME_NET any -> [62.234.134.62] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201969; rev:1;) alert tcp $HOME_NET any -> [103.234.72.237] 10920 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201970; rev:1;) alert tcp $HOME_NET any -> [79.134.225.91] 1973 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201971; rev:1;) alert tcp $HOME_NET any -> [79.134.225.91] 1975 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201972; rev:1;) alert tcp $HOME_NET any -> [31.44.185.23] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201973; rev:1;) alert tcp $HOME_NET any -> [13.52.231.237] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201974; rev:1;) alert tcp $HOME_NET any -> [34.220.99.248] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201975; rev:1;) alert tcp $HOME_NET any -> [139.45.197.239] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201976; rev:1;) alert tcp $HOME_NET any -> [54.225.218.189] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201977; rev:1;) alert tcp $HOME_NET any -> [185.50.248.47] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201978; rev:1;) alert tcp $HOME_NET any -> [194.5.97.116] 1177 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201979; rev:1;) alert tcp $HOME_NET any -> [120.78.191.11] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201980; rev:1;) alert tcp $HOME_NET any -> [192.243.59.12] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201981; rev:1;) alert tcp $HOME_NET any -> [103.207.36.177] 6204 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201982; rev:1;) alert tcp $HOME_NET any -> [137.74.176.167] 5553 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201983; rev:1;) alert tcp $HOME_NET any -> [79.134.225.92] 9030 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201984; rev:1;) alert tcp $HOME_NET any -> [47.118.62.39] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201985; rev:1;) alert tcp $HOME_NET any -> [88.214.24.59] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201986; rev:1;) alert tcp $HOME_NET any -> [2.207.101.83] 3601 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201987; rev:1;) alert tcp $HOME_NET any -> [45.141.84.112] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201988; rev:1;) alert tcp $HOME_NET any -> [192.243.59.20] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201989; rev:1;) alert tcp $HOME_NET any -> [88.214.24.56] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201990; rev:1;) alert tcp $HOME_NET any -> [41.250.187.176] 66 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201991; rev:1;) alert tcp $HOME_NET any -> [136.243.191.199] 4784 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201992; rev:1;) alert tcp $HOME_NET any -> [192.227.128.143] 9488 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201993; rev:1;) alert tcp $HOME_NET any -> [89.182.30.194] 3601 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201994; rev:1;) alert tcp $HOME_NET any -> [178.33.222.243] 50855 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201995; rev:1;) alert tcp $HOME_NET any -> [103.113.159.7] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201996; rev:1;) alert tcp $HOME_NET any -> [211.152.136.90] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201997; rev:1;) alert tcp $HOME_NET any -> [185.222.57.171] 3678 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201998; rev:1;) alert tcp $HOME_NET any -> [185.157.161.20] 8990 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201999; rev:1;) alert tcp $HOME_NET any -> [211.152.136.88] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202000; rev:1;) alert tcp $HOME_NET any -> [192.243.59.13] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202001; rev:1;) alert tcp $HOME_NET any -> [194.5.98.120] 1515 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202002; rev:1;) alert tcp $HOME_NET any -> [3.142.167.4] 18318 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202003; rev:1;) alert tcp $HOME_NET any -> [193.56.29.105] 1982 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202004; rev:1;) alert tcp $HOME_NET any -> [79.137.109.121] 50855 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202005; rev:1;) alert tcp $HOME_NET any -> [193.239.85.9] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202006; rev:1;) alert tcp $HOME_NET any -> [193.239.84.195] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202007; rev:1;) alert tcp $HOME_NET any -> [46.243.221.40] 2703 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202008; rev:1;) alert tcp $HOME_NET any -> [72.11.137.166] 55050 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202009; rev:1;) alert tcp $HOME_NET any -> [20.194.35.6] 7904 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202010; rev:1;) alert tcp $HOME_NET any -> [185.197.30.108] 5687 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202011; rev:1;) alert tcp $HOME_NET any -> [185.140.53.137] 5000 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202012; rev:1;) alert tcp $HOME_NET any -> [201.219.204.73] 1884 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202013; rev:1;) alert tcp $HOME_NET any -> [185.163.47.163] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202014; rev:1;) alert tcp $HOME_NET any -> [194.5.98.107] 6970 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202015; rev:1;) alert tcp $HOME_NET any -> [193.142.146.202] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202016; rev:1;) alert tcp $HOME_NET any -> [79.134.225.10] 5000 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202017; rev:1;) alert tcp $HOME_NET any -> [84.38.182.88] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202018; rev:1;) alert tcp $HOME_NET any -> [5.2.65.197] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202019; rev:1;) alert tcp $HOME_NET any -> [34.92.115.71] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202020; rev:1;) alert tcp $HOME_NET any -> [136.244.96.52] 1234 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202021; rev:1;) alert tcp $HOME_NET any -> [188.34.142.201] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202022; rev:1;) alert tcp $HOME_NET any -> [193.38.55.11] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202023; rev:1;) alert tcp $HOME_NET any -> [107.155.164.5] 4898 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202024; rev:1;) alert tcp $HOME_NET any -> [34.105.210.195] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202025; rev:1;) alert tcp $HOME_NET any -> [115.78.134.34] 7707 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202026; rev:1;) alert tcp $HOME_NET any -> [194.5.98.38] 4783 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202027; rev:1;) alert tcp $HOME_NET any -> [176.103.59.173] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202028; rev:1;) alert tcp $HOME_NET any -> [94.158.245.132] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202029; rev:1;) alert tcp $HOME_NET any -> [167.99.184.82] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202030; rev:1;) alert tcp $HOME_NET any -> [193.239.84.194] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202031; rev:1;) alert tcp $HOME_NET any -> [193.239.84.240] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202032; rev:1;) alert tcp $HOME_NET any -> [185.183.162.147] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202033; rev:1;) alert tcp $HOME_NET any -> [179.43.166.32] 10090 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202034; rev:1;) alert tcp $HOME_NET any -> [46.243.250.171] 6381 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202035; rev:1;) alert tcp $HOME_NET any -> [94.176.235.200] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202036; rev:1;) alert tcp $HOME_NET any -> [185.102.136.27] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202037; rev:1;) alert tcp $HOME_NET any -> [172.111.168.19] 6381 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202038; rev:1;) alert tcp $HOME_NET any -> [34.96.156.66] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202039; rev:1;) alert tcp $HOME_NET any -> [107.175.101.209] 7865 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202040; rev:1;) alert tcp $HOME_NET any -> [159.75.110.125] 9102 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202041; rev:1;) alert tcp $HOME_NET any -> [185.201.47.155] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202042; rev:1;) alert tcp $HOME_NET any -> [94.140.114.21] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202043; rev:1;) alert tcp $HOME_NET any -> [82.118.22.118] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202044; rev:1;) alert tcp $HOME_NET any -> [194.127.178.197] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202045; rev:1;) alert tcp $HOME_NET any -> [80.92.206.44] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202046; rev:1;) alert tcp $HOME_NET any -> [112.74.182.201] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202047; rev:1;) alert tcp $HOME_NET any -> [74.119.195.101] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202048; rev:1;) alert tcp $HOME_NET any -> [185.163.47.244] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202049; rev:1;) alert tcp $HOME_NET any -> [91.228.218.43] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202050; rev:1;) alert tcp $HOME_NET any -> [202.168.154.11] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202051; rev:1;) alert tcp $HOME_NET any -> [185.212.131.90] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202052; rev:1;) alert tcp $HOME_NET any -> [141.136.0.105] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202053; rev:1;) alert tcp $HOME_NET any -> [195.54.33.143] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202054; rev:1;) alert tcp $HOME_NET any -> [46.29.167.123] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202055; rev:1;) alert tcp $HOME_NET any -> [185.163.47.254] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202056; rev:1;) alert tcp $HOME_NET any -> [8.140.186.40] 8888 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202057; rev:1;) alert tcp $HOME_NET any -> [116.203.178.81] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202058; rev:1;) alert tcp $HOME_NET any -> [79.134.225.70] 50855 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202059; rev:1;) alert tcp $HOME_NET any -> [185.19.85.152] 3413 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202060; rev:1;) alert tcp $HOME_NET any -> [195.54.33.200] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202061; rev:1;) alert tcp $HOME_NET any -> [79.134.225.62] 4170 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202062; rev:1;) alert tcp $HOME_NET any -> [66.248.206.71] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202063; rev:1;) alert tcp $HOME_NET any -> [117.51.136.152] 8443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202064; rev:1;) alert tcp $HOME_NET any -> [185.234.247.219] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202065; rev:1;) alert tcp $HOME_NET any -> [141.136.0.96] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202066; rev:1;) alert tcp $HOME_NET any -> [204.48.28.130] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202067; rev:1;) alert tcp $HOME_NET any -> [160.124.49.133] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202068; rev:1;) alert tcp $HOME_NET any -> [185.141.26.139] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202069; rev:1;) alert tcp $HOME_NET any -> [213.152.187.210] 42012 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202070; rev:1;) alert tcp $HOME_NET any -> [74.119.195.166] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202071; rev:1;) alert tcp $HOME_NET any -> [5.181.156.75] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202072; rev:1;) alert tcp $HOME_NET any -> [74.119.195.168] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202073; rev:1;) alert tcp $HOME_NET any -> [176.103.61.84] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202074; rev:1;) alert tcp $HOME_NET any -> [195.123.215.115] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202075; rev:1;) alert tcp $HOME_NET any -> [194.127.179.127] 6666 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202076; rev:1;) alert tcp $HOME_NET any -> [195.54.33.131] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202077; rev:1;) alert tcp $HOME_NET any -> [74.119.195.167] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202078; rev:1;) alert tcp $HOME_NET any -> [51.89.204.5] 6666 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202079; rev:1;) alert tcp $HOME_NET any -> [195.123.215.67] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202080; rev:1;) alert tcp $HOME_NET any -> [5.230.68.40] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202081; rev:1;) alert tcp $HOME_NET any -> [45.139.187.144] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202082; rev:1;) alert tcp $HOME_NET any -> [46.243.217.11] 2703 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202083; rev:1;) alert tcp $HOME_NET any -> [185.157.162.75] 443 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202084; rev:1;) alert tcp $HOME_NET any -> [213.152.187.205] 43413 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202085; rev:1;) alert tcp $HOME_NET any -> [185.66.13.246] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202086; rev:1;) alert tcp $HOME_NET any -> [23.238.217.173] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202087; rev:1;) alert tcp $HOME_NET any -> [94.158.245.69] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202088; rev:1;) alert tcp $HOME_NET any -> [185.144.100.9] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202089; rev:1;) alert tcp $HOME_NET any -> [138.197.176.134] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202090; rev:1;) alert tcp $HOME_NET any -> [45.141.37.7] 1177 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202091; rev:1;) alert tcp $HOME_NET any -> [193.233.78.102] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202092; rev:1;) alert tcp $HOME_NET any -> [79.134.225.23] 6667 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202093; rev:1;) alert tcp $HOME_NET any -> [91.200.41.42] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202094; rev:1;) alert tcp $HOME_NET any -> [140.82.57.172] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202095; rev:1;) alert tcp $HOME_NET any -> [23.95.0.100] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202096; rev:1;) alert tcp $HOME_NET any -> [92.223.90.242] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202097; rev:1;) alert tcp $HOME_NET any -> [193.142.58.181] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202098; rev:1;) alert tcp $HOME_NET any -> [141.164.36.203] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202099; rev:1;) alert tcp $HOME_NET any -> [207.32.219.41] 1996 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202100; rev:1;) alert tcp $HOME_NET any -> [34.83.147.211] 3741 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202101; rev:1;) alert tcp $HOME_NET any -> [45.144.225.107] 43360 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202102; rev:1;) alert tcp $HOME_NET any -> [88.80.186.210] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202103; rev:1;) alert tcp $HOME_NET any -> [3.138.180.119] 11048 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202104; rev:1;) alert tcp $HOME_NET any -> [45.129.137.247] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202105; rev:1;) alert tcp $HOME_NET any -> [46.243.221.41] 2703 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202106; rev:1;) alert tcp $HOME_NET any -> [18.224.135.48] 9933 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202107; rev:1;) alert tcp $HOME_NET any -> [45.77.122.108] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202108; rev:1;) alert tcp $HOME_NET any -> [23.105.131.172] 1609 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202109; rev:1;) alert tcp $HOME_NET any -> [89.182.118.216] 3601 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202110; rev:1;) alert tcp $HOME_NET any -> [91.203.145.250] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202111; rev:1;) alert tcp $HOME_NET any -> [86.106.131.188] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202112; rev:1;) alert tcp $HOME_NET any -> [104.36.231.42] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202113; rev:1;) alert tcp $HOME_NET any -> [47.243.68.98] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202114; rev:1;) alert tcp $HOME_NET any -> [201.212.118.175] 444 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202115; rev:1;) alert tcp $HOME_NET any -> [5.34.182.123] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202116; rev:1;) alert tcp $HOME_NET any -> [185.82.219.58] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202117; rev:1;) alert tcp $HOME_NET any -> [195.123.219.199] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202118; rev:1;) alert tcp $HOME_NET any -> [193.38.55.77] 38022 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202119; rev:1;) alert tcp $HOME_NET any -> [74.50.60.96] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202120; rev:1;) alert tcp $HOME_NET any -> [47.89.46.44] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202121; rev:1;) alert tcp $HOME_NET any -> [109.232.239.145] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202122; rev:1;) alert tcp $HOME_NET any -> [51.195.134.41] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202123; rev:1;) alert tcp $HOME_NET any -> [185.50.248.46] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202124; rev:1;) alert tcp $HOME_NET any -> [5.181.156.79] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202125; rev:1;) alert tcp $HOME_NET any -> [185.14.28.131] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202126; rev:1;) alert tcp $HOME_NET any -> [18.191.253.86] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202127; rev:1;) alert tcp $HOME_NET any -> [185.222.57.238] 7788 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202128; rev:1;) alert tcp $HOME_NET any -> [124.70.89.118] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202129; rev:1;) alert tcp $HOME_NET any -> [18.224.135.48] 1 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202130; rev:1;) alert tcp $HOME_NET any -> [195.58.49.13] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202131; rev:1;) alert tcp $HOME_NET any -> [139.224.118.73] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202132; rev:1;) alert tcp $HOME_NET any -> [193.38.55.33] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202133; rev:1;) alert tcp $HOME_NET any -> [152.89.162.12] 1973 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202134; rev:1;) alert tcp $HOME_NET any -> [179.43.140.164] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202135; rev:1;) alert tcp $HOME_NET any -> [18.224.135.48] 2008 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202136; rev:1;) alert tcp $HOME_NET any -> [51.81.165.158] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202137; rev:1;) alert tcp $HOME_NET any -> [209.249.134.8] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202138; rev:1;) alert tcp $HOME_NET any -> [49.235.187.153] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202139; rev:1;) alert tcp $HOME_NET any -> [185.163.45.229] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202140; rev:1;) alert tcp $HOME_NET any -> [193.135.12.12] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202141; rev:1;) alert tcp $HOME_NET any -> [143.110.180.217] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202142; rev:1;) alert tcp $HOME_NET any -> [193.135.12.10] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202143; rev:1;) alert tcp $HOME_NET any -> [45.77.194.161] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202144; rev:1;) alert tcp $HOME_NET any -> [46.243.221.36] 2703 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202145; rev:1;) alert tcp $HOME_NET any -> [54.37.160.138] 6601 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202146; rev:1;) alert tcp $HOME_NET any -> [46.243.221.55] 2703 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202147; rev:1;) alert tcp $HOME_NET any -> [34.91.189.70] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202148; rev:1;) alert tcp $HOME_NET any -> [5.181.156.3] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202149; rev:1;) alert tcp $HOME_NET any -> [45.139.236.5] 1234 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202150; rev:1;) alert tcp $HOME_NET any -> [103.233.195.64] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202151; rev:1;) alert tcp $HOME_NET any -> [91.152.91.234] 4898 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202152; rev:1;) alert tcp $HOME_NET any -> [193.135.12.14] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202153; rev:1;) alert tcp $HOME_NET any -> [193.135.12.15] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202154; rev:1;) alert tcp $HOME_NET any -> [198.23.212.148] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202155; rev:1;) alert tcp $HOME_NET any -> [198.23.212.148] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202156; rev:1;) alert tcp $HOME_NET any -> [203.159.80.242] 6805 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202157; rev:1;) alert tcp $HOME_NET any -> [204.236.142.165] 443 (msg:"SSLBL: Traffic to malicious host (likely BazarCall C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202158; rev:1;) alert tcp $HOME_NET any -> [54.218.15.82] 443 (msg:"SSLBL: Traffic to malicious host (likely BazarCall C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202159; rev:1;) alert tcp $HOME_NET any -> [172.94.109.35] 2703 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202160; rev:1;) alert tcp $HOME_NET any -> [134.122.134.87] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202161; rev:1;) alert tcp $HOME_NET any -> [185.244.38.80] 50663 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202162; rev:1;) alert tcp $HOME_NET any -> [194.5.98.174] 1515 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202163; rev:1;) alert tcp $HOME_NET any -> [46.243.221.30] 2703 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202164; rev:1;) alert tcp $HOME_NET any -> [182.92.233.209] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202165; rev:1;) alert tcp $HOME_NET any -> [185.58.92.227] 5353 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202166; rev:1;) alert tcp $HOME_NET any -> [185.189.151.126] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202167; rev:1;) alert tcp $HOME_NET any -> [221.146.229.139] 1002 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202168; rev:1;) alert tcp $HOME_NET any -> [103.224.241.225] 1604 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202169; rev:1;) alert tcp $HOME_NET any -> [94.158.245.121] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202170; rev:1;) alert tcp $HOME_NET any -> [45.134.169.75] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202171; rev:1;) alert tcp $HOME_NET any -> [95.179.246.182] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202172; rev:1;) alert tcp $HOME_NET any -> [34.76.44.128] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202173; rev:1;) alert tcp $HOME_NET any -> [194.5.97.128] 11011 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202174; rev:1;) alert tcp $HOME_NET any -> [103.55.10.39] 2703 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202175; rev:1;) alert tcp $HOME_NET any -> [108.61.89.233] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202176; rev:1;) alert tcp $HOME_NET any -> [35.201.213.225] 8443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202177; rev:1;) alert tcp $HOME_NET any -> [112.124.28.213] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202178; rev:1;) alert tcp $HOME_NET any -> [34.91.16.249] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202179; rev:1;) alert tcp $HOME_NET any -> [213.152.162.69] 43413 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202180; rev:1;) alert tcp $HOME_NET any -> [172.111.251.53] 2703 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202181; rev:1;) alert tcp $HOME_NET any -> [172.94.50.146] 2703 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202182; rev:1;) alert tcp $HOME_NET any -> [47.95.219.96] 3344 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202183; rev:1;) alert tcp $HOME_NET any -> [185.225.19.253] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202184; rev:1;) alert tcp $HOME_NET any -> [45.67.231.247] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202185; rev:1;) alert tcp $HOME_NET any -> [5.181.156.250] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202186; rev:1;) alert tcp $HOME_NET any -> [92.63.99.163] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202187; rev:1;) alert tcp $HOME_NET any -> [185.219.40.40] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202188; rev:1;) alert tcp $HOME_NET any -> [188.127.231.114] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202189; rev:1;) alert tcp $HOME_NET any -> [172.94.50.143] 2703 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202190; rev:1;) alert tcp $HOME_NET any -> [34.70.170.220] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202191; rev:1;) alert tcp $HOME_NET any -> [168.119.0.86] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202192; rev:1;) alert tcp $HOME_NET any -> [77.247.127.24] 6666 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202193; rev:1;) alert tcp $HOME_NET any -> [140.238.243.50] 2021 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202194; rev:1;) alert tcp $HOME_NET any -> [191.101.130.162] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202195; rev:1;) alert tcp $HOME_NET any -> [18.224.135.48] 1612 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202196; rev:1;) alert tcp $HOME_NET any -> [41.105.23.43] 1231 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202197; rev:1;) alert tcp $HOME_NET any -> [191.101.130.162] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202198; rev:1;) alert tcp $HOME_NET any -> [34.65.142.15] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202199; rev:1;) alert tcp $HOME_NET any -> [35.246.79.214] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202200; rev:1;) alert tcp $HOME_NET any -> [185.163.45.182] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202201; rev:1;) alert tcp $HOME_NET any -> [34.90.118.146] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202202; rev:1;) alert tcp $HOME_NET any -> [8.209.66.127] 443 (msg:"SSLBL: Traffic to malicious host (likely BazarCall malware distribution traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202203; rev:1;) alert tcp $HOME_NET any -> [8.209.66.127] 443 (msg:"SSLBL: Traffic to malicious host (likely BazarCall C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202204; rev:1;) alert tcp $HOME_NET any -> [45.145.36.210] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202205; rev:1;) alert tcp $HOME_NET any -> [172.104.225.210] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202206; rev:1;) alert tcp $HOME_NET any -> [101.200.178.253] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202207; rev:1;) alert tcp $HOME_NET any -> [35.246.130.209] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202208; rev:1;) alert tcp $HOME_NET any -> [185.219.168.29] 2990 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202209; rev:1;) alert tcp $HOME_NET any -> [41.105.114.108] 1231 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202210; rev:1;) alert tcp $HOME_NET any -> [185.163.45.249] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202211; rev:1;) alert tcp $HOME_NET any -> [79.134.225.18] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202212; rev:1;) alert tcp $HOME_NET any -> [172.93.163.101] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202213; rev:1;) alert tcp $HOME_NET any -> [172.93.163.101] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202214; rev:1;) alert tcp $HOME_NET any -> [46.243.221.26] 2703 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202215; rev:1;) alert tcp $HOME_NET any -> [152.89.247.74] 7139 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202216; rev:1;) alert tcp $HOME_NET any -> [194.5.98.206] 4449 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202217; rev:1;) alert tcp $HOME_NET any -> [23.163.0.12] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202218; rev:1;) alert tcp $HOME_NET any -> [35.204.89.50] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202219; rev:1;) alert tcp $HOME_NET any -> [106.55.62.131] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202220; rev:1;) alert tcp $HOME_NET any -> [185.106.123.114] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202221; rev:1;) alert tcp $HOME_NET any -> [64.225.20.68] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202222; rev:1;) alert tcp $HOME_NET any -> [149.56.80.31] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202223; rev:1;) alert tcp $HOME_NET any -> [5.181.156.126] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202224; rev:1;) alert tcp $HOME_NET any -> [5.181.156.126] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202225; rev:1;) alert tcp $HOME_NET any -> [152.89.247.75] 2810 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202226; rev:1;) alert tcp $HOME_NET any -> [18.223.156.62] 4656 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202227; rev:1;) alert tcp $HOME_NET any -> [158.69.149.45] 53 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202228; rev:1;) alert tcp $HOME_NET any -> [167.114.77.20] 1177 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202229; rev:1;) alert tcp $HOME_NET any -> [213.152.161.5] 42012 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202230; rev:1;) alert tcp $HOME_NET any -> [35.232.94.42] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202231; rev:1;) alert tcp $HOME_NET any -> [185.157.161.20] 20058 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202232; rev:1;) alert tcp $HOME_NET any -> [64.225.101.13] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202233; rev:1;) alert tcp $HOME_NET any -> [95.216.105.73] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202234; rev:1;) alert tcp $HOME_NET any -> [185.140.53.133] 1404 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202235; rev:1;) alert tcp $HOME_NET any -> [34.91.233.147] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202236; rev:1;) alert tcp $HOME_NET any -> [160.20.147.107] 1508 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202237; rev:1;) alert tcp $HOME_NET any -> [3.20.238.67] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202238; rev:1;) alert tcp $HOME_NET any -> [160.20.145.218] 5072 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202239; rev:1;) alert tcp $HOME_NET any -> [103.151.125.236] 5665 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202240; rev:1;) alert tcp $HOME_NET any -> [203.159.80.241] 4898 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202241; rev:1;) alert tcp $HOME_NET any -> [3.12.163.16] 7777 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202242; rev:1;) alert tcp $HOME_NET any -> [178.238.8.204] 6666 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202243; rev:1;) alert tcp $HOME_NET any -> [51.81.126.20] 6666 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202244; rev:1;) alert tcp $HOME_NET any -> [34.91.203.83] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202245; rev:1;) alert tcp $HOME_NET any -> [213.152.161.229] 8746 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202246; rev:1;) alert tcp $HOME_NET any -> [41.214.187.35] 1993 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202247; rev:1;) alert tcp $HOME_NET any -> [195.62.33.224] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202248; rev:1;) alert tcp $HOME_NET any -> [152.89.247.27] 1210 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202249; rev:1;) alert tcp $HOME_NET any -> [35.241.172.252] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202250; rev:1;) alert tcp $HOME_NET any -> [185.118.164.167] 2442 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202251; rev:1;) alert tcp $HOME_NET any -> [5.2.68.70] 8070 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202252; rev:1;) alert tcp $HOME_NET any -> [193.42.26.19] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202253; rev:1;) alert tcp $HOME_NET any -> [3.128.190.178] 7777 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202254; rev:1;) alert tcp $HOME_NET any -> [42.51.46.58] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202255; rev:1;) alert tcp $HOME_NET any -> [34.107.19.249] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202256; rev:1;) alert tcp $HOME_NET any -> [189.232.4.114] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202257; rev:1;) alert tcp $HOME_NET any -> [45.85.90.192] 44277 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202258; rev:1;) alert tcp $HOME_NET any -> [3.128.190.178] 2403 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202259; rev:1;) alert tcp $HOME_NET any -> [94.103.80.254] 4334 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202260; rev:1;) alert tcp $HOME_NET any -> [154.209.5.14] 10443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202261; rev:1;) alert tcp $HOME_NET any -> [103.212.180.246] 5554 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202262; rev:1;) alert tcp $HOME_NET any -> [45.77.46.72] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202263; rev:1;) alert tcp $HOME_NET any -> [91.243.45.11] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202264; rev:1;) alert tcp $HOME_NET any -> [34.69.90.254] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202265; rev:1;) alert tcp $HOME_NET any -> [185.157.161.223] 1973 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202266; rev:1;) alert tcp $HOME_NET any -> [189.232.49.230] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202267; rev:1;) alert tcp $HOME_NET any -> [35.228.252.199] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202268; rev:1;) alert tcp $HOME_NET any -> [36.110.239.122] 4430 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202269; rev:1;) alert tcp $HOME_NET any -> [46.101.58.213] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202270; rev:1;) alert tcp $HOME_NET any -> [121.37.139.238] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202271; rev:1;) alert tcp $HOME_NET any -> [3.128.190.178] 1488 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202272; rev:1;) alert tcp $HOME_NET any -> [195.123.209.122] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202273; rev:1;) alert tcp $HOME_NET any -> [195.123.213.219] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202274; rev:1;) alert tcp $HOME_NET any -> [104.200.67.118] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202275; rev:1;) alert tcp $HOME_NET any -> [79.134.225.26] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202276; rev:1;) alert tcp $HOME_NET any -> [172.93.201.100] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202277; rev:1;) alert tcp $HOME_NET any -> [3.128.254.246] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202278; rev:1;) alert tcp $HOME_NET any -> [91.109.176.8] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202279; rev:1;) alert tcp $HOME_NET any -> [154.16.67.107] 1177 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202280; rev:1;) alert tcp $HOME_NET any -> [3.128.190.178] 1604 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202281; rev:1;) alert tcp $HOME_NET any -> [3.19.75.7] 7777 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202282; rev:1;) alert tcp $HOME_NET any -> [3.128.190.178] 1222 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202283; rev:1;) alert tcp $HOME_NET any -> [141.255.155.228] 1188 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202284; rev:1;) alert tcp $HOME_NET any -> [79.134.225.8] 2256 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202285; rev:1;) alert tcp $HOME_NET any -> [45.153.203.55] 44277 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202286; rev:1;) alert tcp $HOME_NET any -> [89.182.79.1] 3601 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202287; rev:1;) alert tcp $HOME_NET any -> [107.191.62.88] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202288; rev:1;) alert tcp $HOME_NET any -> [198.102.14.18] 4712 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202289; rev:1;) alert tcp $HOME_NET any -> [185.82.218.53] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202290; rev:1;) alert tcp $HOME_NET any -> [181.141.5.139] 8050 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202291; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 26187 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202292; rev:1;) alert tcp $HOME_NET any -> [23.106.160.164] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202293; rev:1;) alert tcp $HOME_NET any -> [172.104.247.192] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202294; rev:1;) alert tcp $HOME_NET any -> [103.151.123.132] 6204 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202295; rev:1;) alert tcp $HOME_NET any -> [88.214.59.150] 9911 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202296; rev:1;) alert tcp $HOME_NET any -> [79.134.225.126] 3000 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202297; rev:1;) alert tcp $HOME_NET any -> [54.84.206.216] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202298; rev:1;) alert tcp $HOME_NET any -> [158.247.220.30] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202299; rev:1;) alert tcp $HOME_NET any -> [195.2.92.62] 443 (msg:"SSLBL: Traffic to malicious host (likely FIN7 traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202300; rev:1;) alert tcp $HOME_NET any -> [18.188.163.174] 45165 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202301; rev:1;) alert tcp $HOME_NET any -> [86.107.197.52] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202302; rev:1;) alert tcp $HOME_NET any -> [104.243.41.123] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202303; rev:1;) alert tcp $HOME_NET any -> [23.146.242.233] 5000 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202304; rev:1;) alert tcp $HOME_NET any -> [194.26.29.191] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202305; rev:1;) alert tcp $HOME_NET any -> [79.134.225.53] 8765 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202306; rev:1;) alert tcp $HOME_NET any -> [193.218.118.85] 1781 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202307; rev:1;) alert tcp $HOME_NET any -> [213.217.0.217] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202308; rev:1;) alert tcp $HOME_NET any -> [185.130.213.157] 666 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202309; rev:1;) alert tcp $HOME_NET any -> [185.20.186.108] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202310; rev:1;) alert tcp $HOME_NET any -> [182.186.116.148] 6905 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202311; rev:1;) alert tcp $HOME_NET any -> [45.43.2.204] 1177 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202312; rev:1;) alert tcp $HOME_NET any -> [139.28.235.223] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202313; rev:1;) alert tcp $HOME_NET any -> [194.127.179.247] 4898 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202314; rev:1;) alert tcp $HOME_NET any -> [176.58.112.29] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202315; rev:1;) alert tcp $HOME_NET any -> [54.89.120.178] 1605 (msg:"SSLBL: Traffic to malicious host (likely njrat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202316; rev:1;) alert tcp $HOME_NET any -> [45.153.203.230] 4016 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202317; rev:1;) alert tcp $HOME_NET any -> [76.6.210.168] 1337 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202318; rev:1;) alert tcp $HOME_NET any -> [145.239.145.114] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202319; rev:1;) alert tcp $HOME_NET any -> [185.140.53.134] 2256 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202320; rev:1;) alert tcp $HOME_NET any -> [93.95.227.30] 5506 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202321; rev:1;) alert tcp $HOME_NET any -> [185.239.242.118] 4016 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202322; rev:1;) alert tcp $HOME_NET any -> [182.186.40.205] 6905 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202323; rev:1;) alert tcp $HOME_NET any -> [91.109.190.2] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202324; rev:1;) alert tcp $HOME_NET any -> [115.220.8.189] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202325; rev:1;) alert tcp $HOME_NET any -> [201.219.204.73] 1881 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202326; rev:1;) alert tcp $HOME_NET any -> [119.45.183.69] 8880 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202327; rev:1;) alert tcp $HOME_NET any -> [139.28.235.223] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202328; rev:1;) alert tcp $HOME_NET any -> [179.43.166.30] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202329; rev:1;) alert tcp $HOME_NET any -> [185.140.53.137] 4723 (msg:"SSLBL: Traffic to malicious host (likely NanoCore C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202330; rev:1;) alert tcp $HOME_NET any -> [85.143.217.252] 8084 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202331; rev:1;) alert tcp $HOME_NET any -> [142.202.188.249] 2025 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202332; rev:1;) alert tcp $HOME_NET any -> [91.109.176.8] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202333; rev:1;) alert tcp $HOME_NET any -> [192.169.6.68] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202334; rev:1;) alert tcp $HOME_NET any -> [161.129.71.137] 49746 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202335; rev:1;) alert tcp $HOME_NET any -> [194.36.191.32] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202336; rev:1;) alert tcp $HOME_NET any -> [172.94.42.34] 8890 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202337; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 50232 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202338; rev:1;) alert tcp $HOME_NET any -> [45.76.177.3] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202339; rev:1;) alert tcp $HOME_NET any -> [122.228.4.170] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202340; rev:1;) alert tcp $HOME_NET any -> [194.5.98.231] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202341; rev:1;) alert tcp $HOME_NET any -> [77.149.2.122] 5552 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202342; rev:1;) alert tcp $HOME_NET any -> [45.141.84.215] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202343; rev:1;) alert tcp $HOME_NET any -> [139.59.162.149] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202344; rev:1;) alert tcp $HOME_NET any -> [51.81.7.200] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202345; rev:1;) alert tcp $HOME_NET any -> [37.46.150.236] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202346; rev:1;) alert tcp $HOME_NET any -> [142.202.191.119] 2020 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202347; rev:1;) alert tcp $HOME_NET any -> [13.58.93.231] 7777 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202348; rev:1;) alert tcp $HOME_NET any -> [185.150.24.55] 9879 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202349; rev:1;) alert tcp $HOME_NET any -> [3.138.139.210] 1337 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202350; rev:1;) alert tcp $HOME_NET any -> [51.81.241.89] 8331 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202351; rev:1;) alert tcp $HOME_NET any -> [5.39.217.241] 4016 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202352; rev:1;) alert tcp $HOME_NET any -> [194.5.98.136] 1177 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202353; rev:1;) alert tcp $HOME_NET any -> [172.93.222.169] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202354; rev:1;) alert tcp $HOME_NET any -> [45.145.185.50] 43360 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202355; rev:1;) alert tcp $HOME_NET any -> [161.129.71.135] 49746 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202356; rev:1;) alert tcp $HOME_NET any -> [185.244.30.225] 51817 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202357; rev:1;) alert tcp $HOME_NET any -> [185.140.53.224] 9845 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202358; rev:1;) alert tcp $HOME_NET any -> [95.179.211.251] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202359; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 31330 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202360; rev:1;) alert tcp $HOME_NET any -> [172.94.42.34] 4042 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202361; rev:1;) alert tcp $HOME_NET any -> [179.43.140.189] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202362; rev:1;) alert tcp $HOME_NET any -> [101.37.76.168] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202363; rev:1;) alert tcp $HOME_NET any -> [5.189.166.237] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202364; rev:1;) alert tcp $HOME_NET any -> [161.129.71.133] 49746 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202365; rev:1;) alert tcp $HOME_NET any -> [141.105.66.243] 4016 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202366; rev:1;) alert tcp $HOME_NET any -> [23.227.202.13] 1234 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202367; rev:1;) alert tcp $HOME_NET any -> [103.114.107.184] 7180 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202368; rev:1;) alert tcp $HOME_NET any -> [79.134.225.69] 1973 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202369; rev:1;) alert tcp $HOME_NET any -> [185.157.162.107] 6606 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202370; rev:1;) alert tcp $HOME_NET any -> [185.140.53.131] 2190 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202371; rev:1;) alert tcp $HOME_NET any -> [88.214.59.150] 1177 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202372; rev:1;) alert tcp $HOME_NET any -> [119.29.18.190] 8090 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202373; rev:1;) alert tcp $HOME_NET any -> [179.43.140.133] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202374; rev:1;) alert tcp $HOME_NET any -> [193.23.3.13] 6666 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202375; rev:1;) alert tcp $HOME_NET any -> [185.140.53.131] 5567 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202376; rev:1;) alert tcp $HOME_NET any -> [80.80.130.110] 644 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202377; rev:1;) alert tcp $HOME_NET any -> [154.16.248.44] 40770 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202378; rev:1;) alert tcp $HOME_NET any -> [134.122.40.38] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202379; rev:1;) alert tcp $HOME_NET any -> [79.134.225.23] 30493 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202380; rev:1;) alert tcp $HOME_NET any -> [185.157.162.107] 4783 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202381; rev:1;) alert tcp $HOME_NET any -> [195.206.105.10] 3988 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202382; rev:1;) alert tcp $HOME_NET any -> [185.200.243.169] 51817 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202383; rev:1;) alert tcp $HOME_NET any -> [91.193.75.189] 1604 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202384; rev:1;) alert tcp $HOME_NET any -> [79.134.225.18] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202385; rev:1;) alert tcp $HOME_NET any -> [20.50.121.62] 1604 (msg:"SSLBL: Traffic to malicious host (likely njrat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202386; rev:1;) alert tcp $HOME_NET any -> [23.105.131.188] 1993 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202387; rev:1;) alert tcp $HOME_NET any -> [91.109.186.3] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202388; rev:1;) alert tcp $HOME_NET any -> [176.43.110.149] 1604 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202389; rev:1;) alert tcp $HOME_NET any -> [185.140.53.135] 1010 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202390; rev:1;) alert tcp $HOME_NET any -> [80.209.241.21] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202391; rev:1;) alert tcp $HOME_NET any -> [79.134.225.45] 2233 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202392; rev:1;) alert tcp $HOME_NET any -> [18.188.97.62] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202393; rev:1;) alert tcp $HOME_NET any -> [194.5.97.173] 1993 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202394; rev:1;) alert tcp $HOME_NET any -> [115.126.25.22] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202395; rev:1;) alert tcp $HOME_NET any -> [198.23.212.149] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202396; rev:1;) alert tcp $HOME_NET any -> [13.58.162.35] 1028 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202397; rev:1;) alert tcp $HOME_NET any -> [124.156.187.132] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202398; rev:1;) alert tcp $HOME_NET any -> [136.244.98.158] 1000 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202399; rev:1;) alert tcp $HOME_NET any -> [92.185.183.6] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202400; rev:1;) alert tcp $HOME_NET any -> [84.38.180.119] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202401; rev:1;) alert tcp $HOME_NET any -> [103.153.100.248] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202402; rev:1;) alert tcp $HOME_NET any -> [91.193.75.182] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202403; rev:1;) alert tcp $HOME_NET any -> [68.235.43.126] 56927 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202404; rev:1;) alert tcp $HOME_NET any -> [194.33.45.43] 1177 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202405; rev:1;) alert tcp $HOME_NET any -> [85.86.181.192] 6666 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202406; rev:1;) alert tcp $HOME_NET any -> [107.172.100.227] 3040 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202407; rev:1;) alert tcp $HOME_NET any -> [103.147.184.53] 1991 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202408; rev:1;) alert tcp $HOME_NET any -> [13.58.162.35] 6207 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202409; rev:1;) alert tcp $HOME_NET any -> [218.253.251.89] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202410; rev:1;) alert tcp $HOME_NET any -> [68.235.43.124] 56927 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202411; rev:1;) alert tcp $HOME_NET any -> [3.87.210.81] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202412; rev:1;) alert tcp $HOME_NET any -> [46.243.150.195] 7788 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202413; rev:1;) alert tcp $HOME_NET any -> [217.69.0.99] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202414; rev:1;) alert tcp $HOME_NET any -> [41.105.120.192] 1231 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202415; rev:1;) alert tcp $HOME_NET any -> [107.172.100.223] 2020 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202416; rev:1;) alert tcp $HOME_NET any -> [91.193.75.122] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202417; rev:1;) alert tcp $HOME_NET any -> [198.23.212.148] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202418; rev:1;) alert tcp $HOME_NET any -> [188.72.124.19] 3310 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202419; rev:1;) alert tcp $HOME_NET any -> [95.179.152.155] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202420; rev:1;) alert tcp $HOME_NET any -> [92.185.183.6] 81 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202421; rev:1;) alert tcp $HOME_NET any -> [182.150.0.31] 19530 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202422; rev:1;) alert tcp $HOME_NET any -> [194.156.98.71] 4898 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202423; rev:1;) alert tcp $HOME_NET any -> [168.119.103.207] 6666 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202424; rev:1;) alert tcp $HOME_NET any -> [185.58.92.18] 5353 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202425; rev:1;) alert tcp $HOME_NET any -> [135.181.8.164] 4654 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202426; rev:1;) alert tcp $HOME_NET any -> [196.74.226.94] 92 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202427; rev:1;) alert tcp $HOME_NET any -> [45.15.143.216] 5210 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202428; rev:1;) alert tcp $HOME_NET any -> [128.90.108.165] 3470 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202429; rev:1;) alert tcp $HOME_NET any -> [103.99.1.128] 9875 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202430; rev:1;) alert tcp $HOME_NET any -> [194.5.98.93] 4545 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202431; rev:1;) alert tcp $HOME_NET any -> [46.31.77.31] 1453 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202432; rev:1;) alert tcp $HOME_NET any -> [38.132.99.154] 1234 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202433; rev:1;) alert tcp $HOME_NET any -> [79.134.225.88] 6458 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202434; rev:1;) alert tcp $HOME_NET any -> [185.140.53.178] 7743 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202435; rev:1;) alert tcp $HOME_NET any -> [45.15.143.234] 5366 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202436; rev:1;) alert tcp $HOME_NET any -> [79.134.225.22] 7898 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202437; rev:1;) alert tcp $HOME_NET any -> [79.134.225.22] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202438; rev:1;) alert tcp $HOME_NET any -> [195.20.109.121] 586 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202439; rev:1;) alert tcp $HOME_NET any -> [92.185.183.6] 14444 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202440; rev:1;) alert tcp $HOME_NET any -> [37.46.150.155] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202441; rev:1;) alert tcp $HOME_NET any -> [23.105.131.186] 9000 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202442; rev:1;) alert tcp $HOME_NET any -> [38.68.46.205] 8950 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202443; rev:1;) alert tcp $HOME_NET any -> [13.58.162.35] 10137 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202444; rev:1;) alert tcp $HOME_NET any -> [196.89.158.176] 66 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202445; rev:1;) alert tcp $HOME_NET any -> [80.89.230.61] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202446; rev:1;) alert tcp $HOME_NET any -> [3.35.158.172] 1199 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202447; rev:1;) alert tcp $HOME_NET any -> [45.15.143.195] 5366 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202448; rev:1;) alert tcp $HOME_NET any -> [206.166.251.173] 5922 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202449; rev:1;) alert tcp $HOME_NET any -> [212.8.246.174] 3465 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202450; rev:1;) alert tcp $HOME_NET any -> [176.48.141.174] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202451; rev:1;) alert tcp $HOME_NET any -> [5.2.68.112] 2442 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202452; rev:1;) alert tcp $HOME_NET any -> [185.140.53.191] 4185 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202453; rev:1;) alert tcp $HOME_NET any -> [168.119.170.202] 6666 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202454; rev:1;) alert tcp $HOME_NET any -> [135.181.96.16] 6666 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202455; rev:1;) alert tcp $HOME_NET any -> [13.58.162.35] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202456; rev:1;) alert tcp $HOME_NET any -> [82.246.130.70] 4440 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202457; rev:1;) alert tcp $HOME_NET any -> [87.98.245.48] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202458; rev:1;) alert tcp $HOME_NET any -> [185.58.92.18] 4500 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202459; rev:1;) alert tcp $HOME_NET any -> [120.78.194.220] 8443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202460; rev:1;) alert tcp $HOME_NET any -> [185.157.161.86] 20058 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202461; rev:1;) alert tcp $HOME_NET any -> [103.99.1.128] 3071 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202462; rev:1;) alert tcp $HOME_NET any -> [139.155.18.71] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202463; rev:1;) alert tcp $HOME_NET any -> [51.11.247.87] 2053 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202464; rev:1;) alert tcp $HOME_NET any -> [86.137.28.177] 3073 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202465; rev:1;) alert tcp $HOME_NET any -> [141.255.157.36] 10001 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202466; rev:1;) alert tcp $HOME_NET any -> [192.121.102.72] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202467; rev:1;) alert tcp $HOME_NET any -> [154.127.53.5] 4040 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202468; rev:1;) alert tcp $HOME_NET any -> [139.59.23.248] 3439 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202469; rev:1;) alert tcp $HOME_NET any -> [88.229.12.141] 1604 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202470; rev:1;) alert tcp $HOME_NET any -> [191.88.250.254] 8050 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202471; rev:1;) alert tcp $HOME_NET any -> [192.121.102.80] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202472; rev:1;) alert tcp $HOME_NET any -> [88.229.12.141] 222 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202473; rev:1;) alert tcp $HOME_NET any -> [3.22.15.135] 14345 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202474; rev:1;) alert tcp $HOME_NET any -> [45.133.216.84] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202475; rev:1;) alert tcp $HOME_NET any -> [8.210.39.131] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202476; rev:1;) alert tcp $HOME_NET any -> [174.138.10.67] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202477; rev:1;) alert tcp $HOME_NET any -> [128.90.115.166] 3470 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202478; rev:1;) alert tcp $HOME_NET any -> [41.216.186.241] 443 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202479; rev:1;) alert tcp $HOME_NET any -> [173.234.155.108] 6666 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202480; rev:1;) alert tcp $HOME_NET any -> [45.32.146.181] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202481; rev:1;) alert tcp $HOME_NET any -> [197.207.162.125] 1231 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202482; rev:1;) alert tcp $HOME_NET any -> [185.157.161.86] 9980 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202483; rev:1;) alert tcp $HOME_NET any -> [3.95.159.27] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202484; rev:1;) alert tcp $HOME_NET any -> [103.99.1.128] 6204 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202485; rev:1;) alert tcp $HOME_NET any -> [192.119.6.132] 4898 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202486; rev:1;) alert tcp $HOME_NET any -> [220.78.86.55] 1324 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202487; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 52297 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202488; rev:1;) alert tcp $HOME_NET any -> [1.54.66.90] 3189 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202489; rev:1;) alert tcp $HOME_NET any -> [85.86.181.192] 3333 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202490; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 56207 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202491; rev:1;) alert tcp $HOME_NET any -> [103.149.27.116] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202492; rev:1;) alert tcp $HOME_NET any -> [178.33.222.243] 49746 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202493; rev:1;) alert tcp $HOME_NET any -> [74.124.24.29] 2221 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202494; rev:1;) alert tcp $HOME_NET any -> [220.89.249.206] 5050 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202495; rev:1;) alert tcp $HOME_NET any -> [194.5.97.226] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202496; rev:1;) alert tcp $HOME_NET any -> [79.134.225.119] 9030 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202497; rev:1;) alert tcp $HOME_NET any -> [185.244.26.240] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202498; rev:1;) alert tcp $HOME_NET any -> [185.140.53.186] 1604 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202499; rev:1;) alert tcp $HOME_NET any -> [185.118.164.215] 4545 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202500; rev:1;) alert tcp $HOME_NET any -> [185.36.81.30] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202501; rev:1;) alert tcp $HOME_NET any -> [172.245.45.22] 9800 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202502; rev:1;) alert tcp $HOME_NET any -> [54.39.49.150] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202503; rev:1;) alert tcp $HOME_NET any -> [178.62.18.176] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202504; rev:1;) alert tcp $HOME_NET any -> [178.33.222.243] 2703 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202505; rev:1;) alert tcp $HOME_NET any -> [79.134.225.46] 7890 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202506; rev:1;) alert tcp $HOME_NET any -> [101.33.11.45] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202507; rev:1;) alert tcp $HOME_NET any -> [104.248.32.109] 22998 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202508; rev:1;) alert tcp $HOME_NET any -> [185.140.53.221] 7743 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202509; rev:1;) alert tcp $HOME_NET any -> [185.140.53.221] 6458 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202510; rev:1;) alert tcp $HOME_NET any -> [179.43.166.54] 8070 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202511; rev:1;) alert tcp $HOME_NET any -> [47.93.122.30] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202512; rev:1;) alert tcp $HOME_NET any -> [142.202.190.30] 2020 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202513; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 21457 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202514; rev:1;) alert tcp $HOME_NET any -> [79.134.225.18] 1515 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202515; rev:1;) alert tcp $HOME_NET any -> [38.74.14.151] 7832 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202516; rev:1;) alert tcp $HOME_NET any -> [142.202.190.30] 3040 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202517; rev:1;) alert tcp $HOME_NET any -> [66.63.162.20] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202518; rev:1;) alert tcp $HOME_NET any -> [35.226.208.32] 4440 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202519; rev:1;) alert tcp $HOME_NET any -> [111.229.83.227] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202520; rev:1;) alert tcp $HOME_NET any -> [45.227.255.74] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202521; rev:1;) alert tcp $HOME_NET any -> [180.214.236.99] 7788 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202522; rev:1;) alert tcp $HOME_NET any -> [79.134.225.24] 1800 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202523; rev:1;) alert tcp $HOME_NET any -> [194.5.98.17] 9040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202524; rev:1;) alert tcp $HOME_NET any -> [128.90.108.161] 3470 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202525; rev:1;) alert tcp $HOME_NET any -> [86.106.181.177] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202526; rev:1;) alert tcp $HOME_NET any -> [3.19.26.213] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202527; rev:1;) alert tcp $HOME_NET any -> [41.141.241.250] 66 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202528; rev:1;) alert tcp $HOME_NET any -> [23.105.131.129] 3071 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202529; rev:1;) alert tcp $HOME_NET any -> [37.120.208.40] 49746 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202530; rev:1;) alert tcp $HOME_NET any -> [185.140.53.211] 5277 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202531; rev:1;) alert tcp $HOME_NET any -> [198.44.97.180] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202532; rev:1;) alert tcp $HOME_NET any -> [45.142.215.100] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202533; rev:1;) alert tcp $HOME_NET any -> [185.82.202.123] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202534; rev:1;) alert tcp $HOME_NET any -> [54.253.227.154] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202535; rev:1;) alert tcp $HOME_NET any -> [185.14.30.217] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202536; rev:1;) alert tcp $HOME_NET any -> [185.128.25.29] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202537; rev:1;) alert tcp $HOME_NET any -> [160.20.146.178] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202538; rev:1;) alert tcp $HOME_NET any -> [39.37.22.52] 6905 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202539; rev:1;) alert tcp $HOME_NET any -> [172.86.75.177] 6922 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202540; rev:1;) alert tcp $HOME_NET any -> [185.191.32.180] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202541; rev:1;) alert tcp $HOME_NET any -> [185.144.29.169] 4898 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202542; rev:1;) alert tcp $HOME_NET any -> [81.70.2.180] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202543; rev:1;) alert tcp $HOME_NET any -> [185.193.36.73] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202544; rev:1;) alert tcp $HOME_NET any -> [178.128.220.110] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202545; rev:1;) alert tcp $HOME_NET any -> [103.74.192.54] 4443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202546; rev:1;) alert tcp $HOME_NET any -> [3.21.227.133] 3302 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202547; rev:1;) alert tcp $HOME_NET any -> [47.114.39.239] 12345 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202548; rev:1;) alert tcp $HOME_NET any -> [27.22.58.175] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202549; rev:1;) alert tcp $HOME_NET any -> [185.157.162.81] 1973 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202550; rev:1;) alert tcp $HOME_NET any -> [185.157.162.81] 1973 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202551; rev:1;) alert tcp $HOME_NET any -> [185.20.185.96] 9091 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202552; rev:1;) alert tcp $HOME_NET any -> [147.229.68.116] 1268 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202553; rev:1;) alert tcp $HOME_NET any -> [193.239.147.22] 43360 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202554; rev:1;) alert tcp $HOME_NET any -> [91.241.19.51] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202555; rev:1;) alert tcp $HOME_NET any -> [103.153.76.244] 7788 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202556; rev:1;) alert tcp $HOME_NET any -> [185.157.161.109] 1973 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202557; rev:1;) alert tcp $HOME_NET any -> [171.221.221.25] 2049 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202558; rev:1;) alert tcp $HOME_NET any -> [79.134.225.20] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202559; rev:1;) alert tcp $HOME_NET any -> [45.134.21.8] 72 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202560; rev:1;) alert tcp $HOME_NET any -> [2.56.213.183] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202561; rev:1;) alert tcp $HOME_NET any -> [154.44.177.186] 4433 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202562; rev:1;) alert tcp $HOME_NET any -> [185.19.85.155] 5080 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202563; rev:1;) alert tcp $HOME_NET any -> [45.144.30.25] 4404 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202564; rev:1;) alert tcp $HOME_NET any -> [185.105.109.19] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware.DarkSide C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202565; rev:1;) alert tcp $HOME_NET any -> [45.141.59.139] 9898 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202566; rev:1;) alert tcp $HOME_NET any -> [88.119.171.64] 72 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202567; rev:1;) alert tcp $HOME_NET any -> [41.227.47.76] 4898 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202568; rev:1;) alert tcp $HOME_NET any -> [207.148.70.82] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202569; rev:1;) alert tcp $HOME_NET any -> [175.203.53.37] 5050 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202570; rev:1;) alert tcp $HOME_NET any -> [160.20.146.178] 5075 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202571; rev:1;) alert tcp $HOME_NET any -> [34.203.235.59] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202572; rev:1;) alert tcp $HOME_NET any -> [80.82.77.164] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202573; rev:1;) alert tcp $HOME_NET any -> [117.51.149.186] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202574; rev:1;) alert tcp $HOME_NET any -> [178.79.134.144] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202575; rev:1;) alert tcp $HOME_NET any -> [194.5.97.249] 9951 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202576; rev:1;) alert tcp $HOME_NET any -> [185.250.242.202] 7000 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202577; rev:1;) alert tcp $HOME_NET any -> [185.128.25.29] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202578; rev:1;) alert tcp $HOME_NET any -> [45.144.30.41] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202579; rev:1;) alert tcp $HOME_NET any -> [23.105.131.165] 8094 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202580; rev:1;) alert tcp $HOME_NET any -> [185.58.95.125] 4500 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202581; rev:1;) alert tcp $HOME_NET any -> [45.141.59.139] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202582; rev:1;) alert tcp $HOME_NET any -> [132.232.94.126] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202583; rev:1;) alert tcp $HOME_NET any -> [79.134.225.54] 4545 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202584; rev:1;) alert tcp $HOME_NET any -> [195.123.217.7] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202585; rev:1;) alert tcp $HOME_NET any -> [154.208.76.59] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202586; rev:1;) alert tcp $HOME_NET any -> [161.35.218.255] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202587; rev:1;) alert tcp $HOME_NET any -> [79.134.225.37] 30493 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202588; rev:1;) alert tcp $HOME_NET any -> [79.134.225.50] 4449 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202589; rev:1;) alert tcp $HOME_NET any -> [5.230.22.165] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202590; rev:1;) alert tcp $HOME_NET any -> [47.95.37.84] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202591; rev:1;) alert tcp $HOME_NET any -> [34.211.110.219] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202592; rev:1;) alert tcp $HOME_NET any -> [185.128.25.29] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202593; rev:1;) alert tcp $HOME_NET any -> [47.103.212.53] 16777 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202594; rev:1;) alert tcp $HOME_NET any -> [69.51.24.27] 666 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202595; rev:1;) alert tcp $HOME_NET any -> [37.120.208.39] 49746 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202596; rev:1;) alert tcp $HOME_NET any -> [37.59.47.123] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202597; rev:1;) alert tcp $HOME_NET any -> [37.120.208.36] 49746 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202598; rev:1;) alert tcp $HOME_NET any -> [78.128.113.14] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202599; rev:1;) alert tcp $HOME_NET any -> [45.140.147.167] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202600; rev:1;) alert tcp $HOME_NET any -> [45.140.146.181] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202601; rev:1;) alert tcp $HOME_NET any -> [81.69.14.19] 45832 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202602; rev:1;) alert tcp $HOME_NET any -> [173.234.25.74] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202603; rev:1;) alert tcp $HOME_NET any -> [192.253.244.149] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202604; rev:1;) alert tcp $HOME_NET any -> [119.3.141.162] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202605; rev:1;) alert tcp $HOME_NET any -> [185.153.198.121] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202606; rev:1;) alert tcp $HOME_NET any -> [176.122.152.67] 4433 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202607; rev:1;) alert tcp $HOME_NET any -> [194.113.34.49] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202608; rev:1;) alert tcp $HOME_NET any -> [37.120.208.36] 49703 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202609; rev:1;) alert tcp $HOME_NET any -> [47.91.237.42] 8443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202610; rev:1;) alert tcp $HOME_NET any -> [79.134.225.14] 8070 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202611; rev:1;) alert tcp $HOME_NET any -> [172.245.26.140] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202612; rev:1;) alert tcp $HOME_NET any -> [203.115.24.234] 8282 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202613; rev:1;) alert tcp $HOME_NET any -> [185.244.30.253] 5050 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202614; rev:1;) alert tcp $HOME_NET any -> [62.102.148.158] 62727 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202615; rev:1;) alert tcp $HOME_NET any -> [45.32.129.110] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202616; rev:1;) alert tcp $HOME_NET any -> [185.244.26.206] 20905 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202617; rev:1;) alert tcp $HOME_NET any -> [142.202.190.27] 3040 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202618; rev:1;) alert tcp $HOME_NET any -> [79.134.225.99] 4726 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202619; rev:1;) alert tcp $HOME_NET any -> [160.20.146.178] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202620; rev:1;) alert tcp $HOME_NET any -> [185.140.53.234] 2558 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202621; rev:1;) alert tcp $HOME_NET any -> [43.242.201.222] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202622; rev:1;) alert tcp $HOME_NET any -> [79.134.225.104] 20905 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202623; rev:1;) alert tcp $HOME_NET any -> [169.61.11.75] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202624; rev:1;) alert tcp $HOME_NET any -> [91.109.188.7] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202625; rev:1;) alert tcp $HOME_NET any -> [84.38.183.222] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202626; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 57654 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202627; rev:1;) alert tcp $HOME_NET any -> [108.62.118.217] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202628; rev:1;) alert tcp $HOME_NET any -> [8.210.125.201] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202629; rev:1;) alert tcp $HOME_NET any -> [217.12.208.31] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202630; rev:1;) alert tcp $HOME_NET any -> [155.94.198.169] 1990 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202631; rev:1;) alert tcp $HOME_NET any -> [154.127.53.31] 5252 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202632; rev:1;) alert tcp $HOME_NET any -> [194.5.97.177] 10011 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202633; rev:1;) alert tcp $HOME_NET any -> [18.207.200.0] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202634; rev:1;) alert tcp $HOME_NET any -> [3.15.15.105] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202635; rev:1;) alert tcp $HOME_NET any -> [47.242.30.106] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202636; rev:1;) alert tcp $HOME_NET any -> [45.254.64.7] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202637; rev:1;) alert tcp $HOME_NET any -> [18.216.15.65] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202638; rev:1;) alert tcp $HOME_NET any -> [34.204.7.171] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202639; rev:1;) alert tcp $HOME_NET any -> [91.193.75.108] 8070 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202640; rev:1;) alert tcp $HOME_NET any -> [37.120.208.37] 49746 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202641; rev:1;) alert tcp $HOME_NET any -> [47.108.129.143] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202642; rev:1;) alert tcp $HOME_NET any -> [95.181.157.49] 1738 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202643; rev:1;) alert tcp $HOME_NET any -> [217.12.218.250] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202644; rev:1;) alert tcp $HOME_NET any -> [188.119.112.174] 8081 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202645; rev:1;) alert tcp $HOME_NET any -> [3.129.73.255] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202646; rev:1;) alert tcp $HOME_NET any -> [185.244.30.185] 9101 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202647; rev:1;) alert tcp $HOME_NET any -> [96.9.241.60] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202648; rev:1;) alert tcp $HOME_NET any -> [18.223.210.216] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202649; rev:1;) alert tcp $HOME_NET any -> [206.166.251.75] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202650; rev:1;) alert tcp $HOME_NET any -> [49.233.89.89] 8443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202651; rev:1;) alert tcp $HOME_NET any -> [185.140.53.186] 2626 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202652; rev:1;) alert tcp $HOME_NET any -> [45.147.229.52] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202653; rev:1;) alert tcp $HOME_NET any -> [91.203.193.163] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202654; rev:1;) alert tcp $HOME_NET any -> [157.230.184.142] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202655; rev:1;) alert tcp $HOME_NET any -> [2.56.213.183] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202656; rev:1;) alert tcp $HOME_NET any -> [79.134.225.99] 4449 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202657; rev:1;) alert tcp $HOME_NET any -> [54.236.241.94] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202658; rev:1;) alert tcp $HOME_NET any -> [35.161.73.88] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202659; rev:1;) alert tcp $HOME_NET any -> [177.255.91.168] 8057 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202660; rev:1;) alert tcp $HOME_NET any -> [62.171.141.54] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202661; rev:1;) alert tcp $HOME_NET any -> [185.140.53.141] 2256 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202662; rev:1;) alert tcp $HOME_NET any -> [47.241.25.81] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202663; rev:1;) alert tcp $HOME_NET any -> [185.165.153.249] 4371 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202664; rev:1;) alert tcp $HOME_NET any -> [185.118.167.189] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202665; rev:1;) alert tcp $HOME_NET any -> [47.251.11.230] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202666; rev:1;) alert tcp $HOME_NET any -> [46.166.161.85] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202667; rev:1;) alert tcp $HOME_NET any -> [173.234.155.227] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202668; rev:1;) alert tcp $HOME_NET any -> [207.148.116.8] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202669; rev:1;) alert tcp $HOME_NET any -> [79.134.225.82] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202670; rev:1;) alert tcp $HOME_NET any -> [3.82.47.49] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202671; rev:1;) alert tcp $HOME_NET any -> [35.160.72.225] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202672; rev:1;) alert tcp $HOME_NET any -> [128.90.115.218] 3470 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202673; rev:1;) alert tcp $HOME_NET any -> [45.128.206.55] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202674; rev:1;) alert tcp $HOME_NET any -> [74.118.138.139] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202675; rev:1;) alert tcp $HOME_NET any -> [79.134.225.39] 6513 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202676; rev:1;) alert tcp $HOME_NET any -> [3.93.232.10] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202677; rev:1;) alert tcp $HOME_NET any -> [45.147.231.65] 3002 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202678; rev:1;) alert tcp $HOME_NET any -> [45.79.72.33] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202679; rev:1;) alert tcp $HOME_NET any -> [54.224.34.171] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202680; rev:1;) alert tcp $HOME_NET any -> [18.219.29.151] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202681; rev:1;) alert tcp $HOME_NET any -> [34.222.33.48] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202682; rev:1;) alert tcp $HOME_NET any -> [8.209.124.215] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202683; rev:1;) alert tcp $HOME_NET any -> [2.56.62.44] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202684; rev:1;) alert tcp $HOME_NET any -> [128.90.115.47] 3470 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202685; rev:1;) alert tcp $HOME_NET any -> [185.19.85.149] 6667 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202686; rev:1;) alert tcp $HOME_NET any -> [188.116.36.154] 443 (msg:"SSLBL: Traffic to malicious host (likely Ostap C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202687; rev:1;) alert tcp $HOME_NET any -> [8.208.102.117] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202688; rev:1;) alert tcp $HOME_NET any -> [45.128.207.226] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202689; rev:1;) alert tcp $HOME_NET any -> [91.109.176.2] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202690; rev:1;) alert tcp $HOME_NET any -> [139.155.245.29] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202691; rev:1;) alert tcp $HOME_NET any -> [103.214.165.213] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202692; rev:1;) alert tcp $HOME_NET any -> [93.114.128.73] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202693; rev:1;) alert tcp $HOME_NET any -> [142.93.7.219] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202694; rev:1;) alert tcp $HOME_NET any -> [192.253.244.137] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202695; rev:1;) alert tcp $HOME_NET any -> [45.147.230.131] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202696; rev:1;) alert tcp $HOME_NET any -> [46.173.218.209] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202697; rev:1;) alert tcp $HOME_NET any -> [118.107.41.104] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202698; rev:1;) alert tcp $HOME_NET any -> [118.89.139.166] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202699; rev:1;) alert tcp $HOME_NET any -> [54.245.74.151] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202700; rev:1;) alert tcp $HOME_NET any -> [18.188.194.80] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202701; rev:1;) alert tcp $HOME_NET any -> [156.96.47.42] 586 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202702; rev:1;) alert tcp $HOME_NET any -> [193.218.118.190] 2407 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202703; rev:1;) alert tcp $HOME_NET any -> [185.183.96.173] 443 (msg:"SSLBL: Traffic to malicious host (likely Ostap C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202704; rev:1;) alert tcp $HOME_NET any -> [134.19.177.55] 4040 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202705; rev:1;) alert tcp $HOME_NET any -> [101.32.183.30] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202706; rev:1;) alert tcp $HOME_NET any -> [79.134.225.15] 43360 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202707; rev:1;) alert tcp $HOME_NET any -> [194.5.97.130] 5050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202708; rev:1;) alert tcp $HOME_NET any -> [103.27.237.75] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202709; rev:1;) alert tcp $HOME_NET any -> [34.221.202.231] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202710; rev:1;) alert tcp $HOME_NET any -> [3.137.180.197] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202711; rev:1;) alert tcp $HOME_NET any -> [185.165.153.249] 4571 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202712; rev:1;) alert tcp $HOME_NET any -> [192.253.244.137] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202713; rev:1;) alert tcp $HOME_NET any -> [37.120.208.36] 49714 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202714; rev:1;) alert tcp $HOME_NET any -> [222.114.199.209] 5050 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202715; rev:1;) alert tcp $HOME_NET any -> [8.208.76.109] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202716; rev:1;) alert tcp $HOME_NET any -> [3.15.221.20] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202717; rev:1;) alert tcp $HOME_NET any -> [139.59.230.84] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202718; rev:1;) alert tcp $HOME_NET any -> [101.32.97.85] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202719; rev:1;) alert tcp $HOME_NET any -> [101.32.97.85] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202720; rev:1;) alert tcp $HOME_NET any -> [185.244.30.24] 8913 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202721; rev:1;) alert tcp $HOME_NET any -> [34.205.89.33] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202722; rev:1;) alert tcp $HOME_NET any -> [52.34.17.37] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202723; rev:1;) alert tcp $HOME_NET any -> [47.254.169.137] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202724; rev:1;) alert tcp $HOME_NET any -> [128.90.115.217] 3470 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202725; rev:1;) alert tcp $HOME_NET any -> [54.162.201.128] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202726; rev:1;) alert tcp $HOME_NET any -> [3.81.126.82] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202727; rev:1;) alert tcp $HOME_NET any -> [18.207.182.253] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202728; rev:1;) alert tcp $HOME_NET any -> [3.235.164.215] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202729; rev:1;) alert tcp $HOME_NET any -> [45.128.207.41] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202730; rev:1;) alert tcp $HOME_NET any -> [35.160.125.254] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202731; rev:1;) alert tcp $HOME_NET any -> [52.12.203.202] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202732; rev:1;) alert tcp $HOME_NET any -> [13.58.213.252] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202733; rev:1;) alert tcp $HOME_NET any -> [79.134.225.5] 1221 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202734; rev:1;) alert tcp $HOME_NET any -> [79.134.225.83] 8913 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202735; rev:1;) alert tcp $HOME_NET any -> [202.182.121.93] 5050 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202736; rev:1;) alert tcp $HOME_NET any -> [45.128.207.185] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202737; rev:1;) alert tcp $HOME_NET any -> [47.254.26.204] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202738; rev:1;) alert tcp $HOME_NET any -> [178.79.179.200] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202739; rev:1;) alert tcp $HOME_NET any -> [79.134.225.40] 6970 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202740; rev:1;) alert tcp $HOME_NET any -> [54.175.34.120] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202741; rev:1;) alert tcp $HOME_NET any -> [18.209.104.208] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202742; rev:1;) alert tcp $HOME_NET any -> [185.165.153.140] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202743; rev:1;) alert tcp $HOME_NET any -> [161.117.254.2] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202744; rev:1;) alert tcp $HOME_NET any -> [205.185.113.54] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202745; rev:1;) alert tcp $HOME_NET any -> [191.88.254.193] 1880 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202746; rev:1;) alert tcp $HOME_NET any -> [172.98.192.91] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202747; rev:1;) alert tcp $HOME_NET any -> [178.33.222.241] 2703 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202748; rev:1;) alert tcp $HOME_NET any -> [185.165.153.251] 5050 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202749; rev:1;) alert tcp $HOME_NET any -> [185.140.53.132] 7799 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202750; rev:1;) alert tcp $HOME_NET any -> [23.105.131.174] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202751; rev:1;) alert tcp $HOME_NET any -> [79.134.225.92] 49746 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202752; rev:1;) alert tcp $HOME_NET any -> [178.33.222.241] 49746 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202753; rev:1;) alert tcp $HOME_NET any -> [217.8.117.17] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202754; rev:1;) alert tcp $HOME_NET any -> [31.220.4.216] 7010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202755; rev:1;) alert tcp $HOME_NET any -> [104.161.77.84] 7788 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202756; rev:1;) alert tcp $HOME_NET any -> [51.79.119.231] 13371 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202757; rev:1;) alert tcp $HOME_NET any -> [51.79.119.231] 13371 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202758; rev:1;) alert tcp $HOME_NET any -> [185.150.117.63] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202759; rev:1;) alert tcp $HOME_NET any -> [194.5.97.21] 7788 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202760; rev:1;) alert tcp $HOME_NET any -> [188.166.220.127] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202761; rev:1;) alert tcp $HOME_NET any -> [46.166.161.159] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202762; rev:1;) alert tcp $HOME_NET any -> [46.166.129.195] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202763; rev:1;) alert tcp $HOME_NET any -> [164.90.153.241] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202764; rev:1;) alert tcp $HOME_NET any -> [18.222.171.22] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202765; rev:1;) alert tcp $HOME_NET any -> [137.117.241.192] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202766; rev:1;) alert tcp $HOME_NET any -> [92.38.149.158] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202767; rev:1;) alert tcp $HOME_NET any -> [134.19.177.55] 3040 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202768; rev:1;) alert tcp $HOME_NET any -> [211.152.136.89] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202769; rev:1;) alert tcp $HOME_NET any -> [91.193.75.18] 1313 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202770; rev:1;) alert tcp $HOME_NET any -> [79.134.225.16] 8891 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202771; rev:1;) alert tcp $HOME_NET any -> [94.156.35.109] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202772; rev:1;) alert tcp $HOME_NET any -> [104.168.175.192] 444 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202773; rev:1;) alert tcp $HOME_NET any -> [43.242.201.222] 8443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202774; rev:1;) alert tcp $HOME_NET any -> [91.193.75.225] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202775; rev:1;) alert tcp $HOME_NET any -> [185.244.30.167] 2256 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202776; rev:1;) alert tcp $HOME_NET any -> [5.188.0.82] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202777; rev:1;) alert tcp $HOME_NET any -> [91.193.75.28] 2190 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202778; rev:1;) alert tcp $HOME_NET any -> [211.152.136.77] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202779; rev:1;) alert tcp $HOME_NET any -> [79.134.225.73] 5610 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202780; rev:1;) alert tcp $HOME_NET any -> [185.140.53.138] 1382 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202781; rev:1;) alert tcp $HOME_NET any -> [185.231.113.131] 2016 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202782; rev:1;) alert tcp $HOME_NET any -> [103.207.39.83] 1024 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202783; rev:1;) alert tcp $HOME_NET any -> [91.193.75.171] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202784; rev:1;) alert tcp $HOME_NET any -> [194.5.97.23] 9321 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202785; rev:1;) alert tcp $HOME_NET any -> [91.193.75.35] 1690 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202786; rev:1;) alert tcp $HOME_NET any -> [54.37.36.116] 7866 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202787; rev:1;) alert tcp $HOME_NET any -> [79.134.225.84] 20904 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202788; rev:1;) alert tcp $HOME_NET any -> [66.42.39.79] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202789; rev:1;) alert tcp $HOME_NET any -> [101.226.26.165] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202790; rev:1;) alert tcp $HOME_NET any -> [51.116.230.173] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202791; rev:1;) alert tcp $HOME_NET any -> [179.14.12.213] 8050 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202792; rev:1;) alert tcp $HOME_NET any -> [185.140.53.132] 6868 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202793; rev:1;) alert tcp $HOME_NET any -> [194.5.97.15] 8824 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202794; rev:1;) alert tcp $HOME_NET any -> [79.134.225.107] 20923 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202795; rev:1;) alert tcp $HOME_NET any -> [211.152.136.87] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202796; rev:1;) alert tcp $HOME_NET any -> [134.19.177.55] 2020 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202797; rev:1;) alert tcp $HOME_NET any -> [194.5.97.245] 4575 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202798; rev:1;) alert tcp $HOME_NET any -> [128.90.108.105] 3468 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202799; rev:1;) alert tcp $HOME_NET any -> [79.134.225.85] 1515 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202800; rev:1;) alert tcp $HOME_NET any -> [128.90.115.32] 3468 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202801; rev:1;) alert tcp $HOME_NET any -> [185.140.53.145] 2558 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202802; rev:1;) alert tcp $HOME_NET any -> [185.140.53.220] 20986 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202803; rev:1;) alert tcp $HOME_NET any -> [128.90.115.83] 3468 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202804; rev:1;) alert tcp $HOME_NET any -> [185.244.30.201] 4575 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202805; rev:1;) alert tcp $HOME_NET any -> [185.244.30.130] 20904 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202806; rev:1;) alert tcp $HOME_NET any -> [180.97.251.173] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202807; rev:1;) alert tcp $HOME_NET any -> [37.48.92.195] 2507 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202808; rev:1;) alert tcp $HOME_NET any -> [104.131.33.128] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202809; rev:1;) alert tcp $HOME_NET any -> [185.165.153.43] 5007 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202810; rev:1;) alert tcp $HOME_NET any -> [185.140.53.132] 5484 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202811; rev:1;) alert tcp $HOME_NET any -> [128.90.115.150] 3468 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202812; rev:1;) alert tcp $HOME_NET any -> [77.48.28.230] 20986 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202813; rev:1;) alert tcp $HOME_NET any -> [79.134.225.111] 1506 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202814; rev:1;) alert tcp $HOME_NET any -> [185.193.127.203] 6000 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202815; rev:1;) alert tcp $HOME_NET any -> [91.193.181.158] 443 (msg:"SSLBL: Traffic to malicious host (likely Ostap C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202816; rev:1;) alert tcp $HOME_NET any -> [185.140.53.68] 1515 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202817; rev:1;) alert tcp $HOME_NET any -> [185.140.53.135] 5484 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202818; rev:1;) alert tcp $HOME_NET any -> [5.149.253.199] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202819; rev:1;) alert tcp $HOME_NET any -> [185.165.153.116] 7866 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202820; rev:1;) alert tcp $HOME_NET any -> [79.134.225.78] 5007 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202821; rev:1;) alert tcp $HOME_NET any -> [128.90.115.41] 3468 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202822; rev:1;) alert tcp $HOME_NET any -> [128.90.115.45] 3468 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202823; rev:1;) alert tcp $HOME_NET any -> [194.5.97.33] 5200 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202824; rev:1;) alert tcp $HOME_NET any -> [128.90.115.237] 3468 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202825; rev:1;) alert tcp $HOME_NET any -> [64.227.103.18] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202826; rev:1;) alert tcp $HOME_NET any -> [45.66.250.145] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202827; rev:1;) alert tcp $HOME_NET any -> [45.143.223.34] 3218 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202828; rev:1;) alert tcp $HOME_NET any -> [185.157.162.81] 9980 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202829; rev:1;) alert tcp $HOME_NET any -> [185.140.53.9] 7003 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202830; rev:1;) alert tcp $HOME_NET any -> [192.119.80.53] 4576 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202831; rev:1;) alert tcp $HOME_NET any -> [23.163.0.37] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202832; rev:1;) alert tcp $HOME_NET any -> [185.140.53.7] 2786 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202833; rev:1;) alert tcp $HOME_NET any -> [161.35.174.89] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202834; rev:1;) alert tcp $HOME_NET any -> [157.245.164.207] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202835; rev:1;) alert tcp $HOME_NET any -> [103.89.91.6] 20902 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202836; rev:1;) alert tcp $HOME_NET any -> [79.134.225.84] 3454 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202837; rev:1;) alert tcp $HOME_NET any -> [185.165.153.32] 8824 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202838; rev:1;) alert tcp $HOME_NET any -> [185.165.153.209] 1990 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202839; rev:1;) alert tcp $HOME_NET any -> [185.157.162.81] 20058 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202840; rev:1;) alert tcp $HOME_NET any -> [45.11.19.57] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202841; rev:1;) alert tcp $HOME_NET any -> [194.87.18.22] 2382 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202842; rev:1;) alert tcp $HOME_NET any -> [185.165.153.173] 20986 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202843; rev:1;) alert tcp $HOME_NET any -> [194.5.97.33] 1616 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202844; rev:1;) alert tcp $HOME_NET any -> [138.197.175.96] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202845; rev:1;) alert tcp $HOME_NET any -> [194.5.249.199] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202846; rev:1;) alert tcp $HOME_NET any -> [182.92.202.24] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202847; rev:1;) alert tcp $HOME_NET any -> [194.5.97.11] 27031 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202848; rev:1;) alert tcp $HOME_NET any -> [194.5.249.11] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202849; rev:1;) alert tcp $HOME_NET any -> [134.209.160.222] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202850; rev:1;) alert tcp $HOME_NET any -> [160.20.145.14] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202851; rev:1;) alert tcp $HOME_NET any -> [109.248.11.131] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202852; rev:1;) alert tcp $HOME_NET any -> [85.143.223.5] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202853; rev:1;) alert tcp $HOME_NET any -> [89.40.181.108] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202854; rev:1;) alert tcp $HOME_NET any -> [185.140.53.142] 20986 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202855; rev:1;) alert tcp $HOME_NET any -> [217.12.218.199] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202856; rev:1;) alert tcp $HOME_NET any -> [206.189.164.25] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202857; rev:1;) alert tcp $HOME_NET any -> [5.34.180.91] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202858; rev:1;) alert tcp $HOME_NET any -> [160.20.145.14] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202859; rev:1;) alert tcp $HOME_NET any -> [185.19.85.155] 2327 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202860; rev:1;) alert tcp $HOME_NET any -> [185.165.153.116] 7896 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202861; rev:1;) alert tcp $HOME_NET any -> [79.134.225.55] 9654 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202862; rev:1;) alert tcp $HOME_NET any -> [159.89.174.73] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202863; rev:1;) alert tcp $HOME_NET any -> [194.5.249.184] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202864; rev:1;) alert tcp $HOME_NET any -> [217.195.153.131] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202865; rev:1;) alert tcp $HOME_NET any -> [79.134.225.51] 2211 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202866; rev:1;) alert tcp $HOME_NET any -> [87.251.70.44] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202867; rev:1;) alert tcp $HOME_NET any -> [194.5.97.4] 8824 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202868; rev:1;) alert tcp $HOME_NET any -> [193.38.51.60] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202869; rev:1;) alert tcp $HOME_NET any -> [51.15.136.48] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202870; rev:1;) alert tcp $HOME_NET any -> [172.111.200.225] 5842 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202871; rev:1;) alert tcp $HOME_NET any -> [192.145.125.42] 4430 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202872; rev:1;) alert tcp $HOME_NET any -> [134.209.191.228] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202873; rev:1;) alert tcp $HOME_NET any -> [111.90.146.85] 1730 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202874; rev:1;) alert tcp $HOME_NET any -> [185.33.86.54] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202875; rev:1;) alert tcp $HOME_NET any -> [122.228.4.169] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202876; rev:1;) alert tcp $HOME_NET any -> [45.66.250.228] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202877; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 30986 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202878; rev:1;) alert tcp $HOME_NET any -> [194.187.249.152] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202879; rev:1;) alert tcp $HOME_NET any -> [37.48.92.195] 1104 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202880; rev:1;) alert tcp $HOME_NET any -> [138.68.50.71] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202881; rev:1;) alert tcp $HOME_NET any -> [194.5.249.122] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202882; rev:1;) alert tcp $HOME_NET any -> [194.5.97.23] 8824 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202883; rev:1;) alert tcp $HOME_NET any -> [91.193.75.59] 20058 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202884; rev:1;) alert tcp $HOME_NET any -> [185.140.53.17] 2211 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202885; rev:1;) alert tcp $HOME_NET any -> [164.90.220.32] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202886; rev:1;) alert tcp $HOME_NET any -> [185.140.53.217] 2123 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202887; rev:1;) alert tcp $HOME_NET any -> [216.230.73.22] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202888; rev:1;) alert tcp $HOME_NET any -> [144.168.224.152] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202889; rev:1;) alert tcp $HOME_NET any -> [45.66.250.229] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202890; rev:1;) alert tcp $HOME_NET any -> [45.66.250.16] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202891; rev:1;) alert tcp $HOME_NET any -> [37.49.230.113] 1524 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202892; rev:1;) alert tcp $HOME_NET any -> [37.49.230.113] 3281 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202893; rev:1;) alert tcp $HOME_NET any -> [194.5.97.58] 20923 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202894; rev:1;) alert tcp $HOME_NET any -> [37.120.146.7] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202895; rev:1;) alert tcp $HOME_NET any -> [103.153.76.133] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202896; rev:1;) alert tcp $HOME_NET any -> [51.75.155.78] 8595 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202897; rev:1;) alert tcp $HOME_NET any -> [95.211.170.243] 1576 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202898; rev:1;) alert tcp $HOME_NET any -> [157.230.17.102] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202899; rev:1;) alert tcp $HOME_NET any -> [146.0.77.108] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202900; rev:1;) alert tcp $HOME_NET any -> [172.94.47.80] 4411 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202901; rev:1;) alert tcp $HOME_NET any -> [82.102.28.107] 62727 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202902; rev:1;) alert tcp $HOME_NET any -> [194.5.98.81] 3434 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202903; rev:1;) alert tcp $HOME_NET any -> [116.203.55.94] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202904; rev:1;) alert tcp $HOME_NET any -> [2.56.214.165] 1234 (msg:"SSLBL: Traffic to malicious host (likely NanoCore C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202905; rev:1;) alert tcp $HOME_NET any -> [140.82.33.50] 4784 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202906; rev:1;) alert tcp $HOME_NET any -> [37.120.146.107] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202907; rev:1;) alert tcp $HOME_NET any -> [161.35.100.78] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202908; rev:1;) alert tcp $HOME_NET any -> [107.148.200.130] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202909; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 46300 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202910; rev:1;) alert tcp $HOME_NET any -> [45.153.240.101] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202911; rev:1;) alert tcp $HOME_NET any -> [103.151.122.113] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202912; rev:1;) alert tcp $HOME_NET any -> [194.5.98.95] 6970 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202913; rev:1;) alert tcp $HOME_NET any -> [178.238.8.65] 5055 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202914; rev:1;) alert tcp $HOME_NET any -> [194.5.249.158] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202915; rev:1;) alert tcp $HOME_NET any -> [128.90.108.78] 3468 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202916; rev:1;) alert tcp $HOME_NET any -> [91.234.99.15] 443 (msg:"SSLBL: Traffic to malicious host (likely DiamondFox C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202917; rev:1;) alert tcp $HOME_NET any -> [139.59.56.38] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202918; rev:1;) alert tcp $HOME_NET any -> [188.172.80.161] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202919; rev:1;) alert tcp $HOME_NET any -> [78.31.63.30] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202920; rev:1;) alert tcp $HOME_NET any -> [128.90.108.74] 3468 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202921; rev:1;) alert tcp $HOME_NET any -> [63.209.33.1] 25980 (msg:"SSLBL: Traffic to malicious host (likely NanoCore C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202922; rev:1;) alert tcp $HOME_NET any -> [181.52.111.14] 1881 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202923; rev:1;) alert tcp $HOME_NET any -> [185.140.53.130] 6996 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202924; rev:1;) alert tcp $HOME_NET any -> [128.90.108.26] 3468 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202925; rev:1;) alert tcp $HOME_NET any -> [185.70.184.88] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202926; rev:1;) alert tcp $HOME_NET any -> [51.161.96.106] 3001 (msg:"SSLBL: Traffic to malicious host (likely NanoCore C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202927; rev:1;) alert tcp $HOME_NET any -> [51.161.96.106] 3001 (msg:"SSLBL: Traffic to malicious host (likely BitRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202928; rev:1;) alert tcp $HOME_NET any -> [23.254.118.153] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202929; rev:1;) alert tcp $HOME_NET any -> [188.130.138.207] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202930; rev:1;) alert tcp $HOME_NET any -> [142.202.240.110] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202931; rev:1;) alert tcp $HOME_NET any -> [185.22.152.19] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202932; rev:1;) alert tcp $HOME_NET any -> [91.109.176.4] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202933; rev:1;) alert tcp $HOME_NET any -> [51.210.87.65] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202934; rev:1;) alert tcp $HOME_NET any -> [45.153.240.153] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202935; rev:1;) alert tcp $HOME_NET any -> [128.90.108.246] 3468 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202936; rev:1;) alert tcp $HOME_NET any -> [91.193.75.93] 20987 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202937; rev:1;) alert tcp $HOME_NET any -> [185.140.53.219] 8891 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202938; rev:1;) alert tcp $HOME_NET any -> [37.49.224.150] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202939; rev:1;) alert tcp $HOME_NET any -> [5.101.51.133] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202940; rev:1;) alert tcp $HOME_NET any -> [45.66.250.148] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202941; rev:1;) alert tcp $HOME_NET any -> [151.106.19.145] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202942; rev:1;) alert tcp $HOME_NET any -> [84.38.183.161] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202943; rev:1;) alert tcp $HOME_NET any -> [194.5.97.49] 6970 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202944; rev:1;) alert tcp $HOME_NET any -> [128.90.108.56] 3468 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202945; rev:1;) alert tcp $HOME_NET any -> [191.101.130.42] 9931 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202946; rev:1;) alert tcp $HOME_NET any -> [194.5.98.8] 8824 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202947; rev:1;) alert tcp $HOME_NET any -> [149.255.35.92] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202948; rev:1;) alert tcp $HOME_NET any -> [79.134.225.111] 7071 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202949; rev:1;) alert tcp $HOME_NET any -> [206.123.129.103] 5456 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202950; rev:1;) alert tcp $HOME_NET any -> [46.101.163.251] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202951; rev:1;) alert tcp $HOME_NET any -> [194.5.249.109] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202952; rev:1;) alert tcp $HOME_NET any -> [188.120.255.249] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202953; rev:1;) alert tcp $HOME_NET any -> [35.241.200.200] 10132 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202954; rev:1;) alert tcp $HOME_NET any -> [188.120.255.141] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202955; rev:1;) alert tcp $HOME_NET any -> [185.136.165.173] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202956; rev:1;) alert tcp $HOME_NET any -> [91.245.227.46] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202957; rev:1;) alert tcp $HOME_NET any -> [37.49.224.15] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202958; rev:1;) alert tcp $HOME_NET any -> [185.140.53.11] 9845 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202959; rev:1;) alert tcp $HOME_NET any -> [84.38.181.209] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202960; rev:1;) alert tcp $HOME_NET any -> [37.49.230.114] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202961; rev:1;) alert tcp $HOME_NET any -> [128.90.105.130] 3468 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202962; rev:1;) alert tcp $HOME_NET any -> [185.33.85.47] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202963; rev:1;) alert tcp $HOME_NET any -> [45.143.222.153] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202964; rev:1;) alert tcp $HOME_NET any -> [37.49.230.211] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202965; rev:1;) alert tcp $HOME_NET any -> [192.186.183.150] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202966; rev:1;) alert tcp $HOME_NET any -> [37.230.131.83] 9524 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202967; rev:1;) alert tcp $HOME_NET any -> [8.209.102.67] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202968; rev:1;) alert tcp $HOME_NET any -> [203.205.224.59] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202969; rev:1;) alert tcp $HOME_NET any -> [80.85.157.34] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202970; rev:1;) alert tcp $HOME_NET any -> [45.147.231.229] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202971; rev:1;) alert tcp $HOME_NET any -> [188.241.58.228] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202972; rev:1;) alert tcp $HOME_NET any -> [165.227.64.184] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202973; rev:1;) alert tcp $HOME_NET any -> [128.90.112.213] 3468 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202974; rev:1;) alert tcp $HOME_NET any -> [5.188.4.174] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202975; rev:1;) alert tcp $HOME_NET any -> [185.33.234.204] 4784 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202976; rev:1;) alert tcp $HOME_NET any -> [185.118.167.4] 8485 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202977; rev:1;) alert tcp $HOME_NET any -> [80.249.146.15] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202978; rev:1;) alert tcp $HOME_NET any -> [128.90.105.75] 3468 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202979; rev:1;) alert tcp $HOME_NET any -> [79.141.166.229] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202980; rev:1;) alert tcp $HOME_NET any -> [51.15.21.149] 8080 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202981; rev:1;) alert tcp $HOME_NET any -> [47.254.177.197] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202982; rev:1;) alert tcp $HOME_NET any -> [128.90.107.110] 3468 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202983; rev:1;) alert tcp $HOME_NET any -> [161.35.145.71] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202984; rev:1;) alert tcp $HOME_NET any -> [66.228.45.248] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202985; rev:1;) alert tcp $HOME_NET any -> [117.3.216.38] 3589 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202986; rev:1;) alert tcp $HOME_NET any -> [104.168.173.141] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202987; rev:1;) alert tcp $HOME_NET any -> [188.225.78.105] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202988; rev:1;) alert tcp $HOME_NET any -> [178.62.90.125] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202989; rev:1;) alert tcp $HOME_NET any -> [37.49.230.254] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202990; rev:1;) alert tcp $HOME_NET any -> [128.90.112.128] 3468 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202991; rev:1;) alert tcp $HOME_NET any -> [128.90.112.171] 3468 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202992; rev:1;) alert tcp $HOME_NET any -> [45.153.241.126] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202993; rev:1;) alert tcp $HOME_NET any -> [185.140.53.21] 8991 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202994; rev:1;) alert tcp $HOME_NET any -> [37.49.230.14] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202995; rev:1;) alert tcp $HOME_NET any -> [216.218.208.114] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202996; rev:1;) alert tcp $HOME_NET any -> [103.138.108.193] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202997; rev:1;) alert tcp $HOME_NET any -> [62.108.37.200] 4242 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202998; rev:1;) alert tcp $HOME_NET any -> [84.38.180.246] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202999; rev:1;) alert tcp $HOME_NET any -> [185.140.53.6] 270 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203000; rev:1;) alert tcp $HOME_NET any -> [94.100.18.64] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203001; rev:1;) alert tcp $HOME_NET any -> [161.35.228.142] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203002; rev:1;) alert tcp $HOME_NET any -> [79.134.225.19] 5812 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203003; rev:1;) alert tcp $HOME_NET any -> [128.90.112.11] 3468 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203004; rev:1;) alert tcp $HOME_NET any -> [103.151.122.193] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203005; rev:1;) alert tcp $HOME_NET any -> [8.210.57.151] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203006; rev:1;) alert tcp $HOME_NET any -> [37.49.230.86] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203007; rev:1;) alert tcp $HOME_NET any -> [80.249.145.100] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203008; rev:1;) alert tcp $HOME_NET any -> [167.172.216.222] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203009; rev:1;) alert tcp $HOME_NET any -> [103.89.91.6] 20197 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203010; rev:1;) alert tcp $HOME_NET any -> [185.205.210.87] 4848 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203011; rev:1;) alert tcp $HOME_NET any -> [182.92.225.203] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203012; rev:1;) alert tcp $HOME_NET any -> [185.140.53.247] 4723 (msg:"SSLBL: Traffic to malicious host (likely NanoCore C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203013; rev:1;) alert tcp $HOME_NET any -> [194.5.97.24] 6669 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203014; rev:1;) alert tcp $HOME_NET any -> [5.188.228.46] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203015; rev:1;) alert tcp $HOME_NET any -> [157.245.96.68] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203016; rev:1;) alert tcp $HOME_NET any -> [23.227.207.140] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203017; rev:1;) alert tcp $HOME_NET any -> [37.49.230.134] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203018; rev:1;) alert tcp $HOME_NET any -> [74.91.115.145] 9825 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203019; rev:1;) alert tcp $HOME_NET any -> [80.249.144.38] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203020; rev:1;) alert tcp $HOME_NET any -> [79.134.225.19] 8301 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203021; rev:1;) alert tcp $HOME_NET any -> [185.105.1.165] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203022; rev:1;) alert tcp $HOME_NET any -> [159.65.147.133] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203023; rev:1;) alert tcp $HOME_NET any -> [37.49.230.147] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203024; rev:1;) alert tcp $HOME_NET any -> [8.208.26.123] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203025; rev:1;) alert tcp $HOME_NET any -> [167.71.227.19] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203026; rev:1;) alert tcp $HOME_NET any -> [193.38.55.44] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203027; rev:1;) alert tcp $HOME_NET any -> [134.209.204.246] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203028; rev:1;) alert tcp $HOME_NET any -> [156.255.3.231] 444 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203029; rev:1;) alert tcp $HOME_NET any -> [82.53.78.66] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203030; rev:1;) alert tcp $HOME_NET any -> [45.143.222.212] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203031; rev:1;) alert tcp $HOME_NET any -> [185.105.1.161] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203032; rev:1;) alert tcp $HOME_NET any -> [159.203.61.77] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203033; rev:1;) alert tcp $HOME_NET any -> [94.100.18.83] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203034; rev:1;) alert tcp $HOME_NET any -> [79.134.225.82] 54280 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203035; rev:1;) alert tcp $HOME_NET any -> [84.194.102.183] 5781 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203036; rev:1;) alert tcp $HOME_NET any -> [79.134.225.125] 1515 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203037; rev:1;) alert tcp $HOME_NET any -> [185.19.85.161] 3109 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203038; rev:1;) alert tcp $HOME_NET any -> [84.38.183.213] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203039; rev:1;) alert tcp $HOME_NET any -> [51.195.35.9] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203040; rev:1;) alert tcp $HOME_NET any -> [80.249.147.138] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203041; rev:1;) alert tcp $HOME_NET any -> [47.241.35.230] 3333 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203042; rev:1;) alert tcp $HOME_NET any -> [176.107.177.67] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203043; rev:1;) alert tcp $HOME_NET any -> [172.94.19.67] 8482 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203044; rev:1;) alert tcp $HOME_NET any -> [84.38.182.236] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203045; rev:1;) alert tcp $HOME_NET any -> [178.128.213.80] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203046; rev:1;) alert tcp $HOME_NET any -> [185.82.126.221] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203047; rev:1;) alert tcp $HOME_NET any -> [193.203.50.51] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203048; rev:1;) alert tcp $HOME_NET any -> [188.68.220.80] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203049; rev:1;) alert tcp $HOME_NET any -> [45.143.222.142] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203050; rev:1;) alert tcp $HOME_NET any -> [142.93.149.145] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203051; rev:1;) alert tcp $HOME_NET any -> [45.147.230.85] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203052; rev:1;) alert tcp $HOME_NET any -> [23.227.196.40] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203053; rev:1;) alert tcp $HOME_NET any -> [45.113.2.107] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203054; rev:1;) alert tcp $HOME_NET any -> [167.172.149.139] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203055; rev:1;) alert tcp $HOME_NET any -> [188.68.221.93] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203056; rev:1;) alert tcp $HOME_NET any -> [37.72.175.220] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203057; rev:1;) alert tcp $HOME_NET any -> [79.143.31.33] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203058; rev:1;) alert tcp $HOME_NET any -> [64.227.105.16] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203059; rev:1;) alert tcp $HOME_NET any -> [35.188.83.68] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203060; rev:1;) alert tcp $HOME_NET any -> [45.32.137.86] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203061; rev:1;) alert tcp $HOME_NET any -> [80.249.146.167] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203062; rev:1;) alert tcp $HOME_NET any -> [185.244.30.250] 6204 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203063; rev:1;) alert tcp $HOME_NET any -> [161.35.84.5] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203064; rev:1;) alert tcp $HOME_NET any -> [83.171.238.25] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203065; rev:1;) alert tcp $HOME_NET any -> [37.49.224.176] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203066; rev:1;) alert tcp $HOME_NET any -> [51.254.178.24] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203067; rev:1;) alert tcp $HOME_NET any -> [198.50.252.31] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203068; rev:1;) alert tcp $HOME_NET any -> [89.207.129.43] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203069; rev:1;) alert tcp $HOME_NET any -> [185.176.222.156] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203070; rev:1;) alert tcp $HOME_NET any -> [185.244.213.103] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203071; rev:1;) alert tcp $HOME_NET any -> [45.89.175.154] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203072; rev:1;) alert tcp $HOME_NET any -> [118.24.214.63] 5613 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203073; rev:1;) alert tcp $HOME_NET any -> [160.124.140.146] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203074; rev:1;) alert tcp $HOME_NET any -> [84.38.180.125] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203075; rev:1;) alert tcp $HOME_NET any -> [148.0.135.30] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203076; rev:1;) alert tcp $HOME_NET any -> [185.141.33.69] 5052 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203077; rev:1;) alert tcp $HOME_NET any -> [185.65.202.58] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203078; rev:1;) alert tcp $HOME_NET any -> [194.5.250.184] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203079; rev:1;) alert tcp $HOME_NET any -> [62.108.35.175] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203080; rev:1;) alert tcp $HOME_NET any -> [194.5.98.98] 9980 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203081; rev:1;) alert tcp $HOME_NET any -> [94.100.18.43] 8443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203082; rev:1;) alert tcp $HOME_NET any -> [79.134.225.111] 1507 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203083; rev:1;) alert tcp $HOME_NET any -> [199.192.19.38] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203084; rev:1;) alert tcp $HOME_NET any -> [45.147.231.191] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203085; rev:1;) alert tcp $HOME_NET any -> [80.249.146.61] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203086; rev:1;) alert tcp $HOME_NET any -> [195.123.245.187] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203087; rev:1;) alert tcp $HOME_NET any -> [106.54.62.149] 15555 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203088; rev:1;) alert tcp $HOME_NET any -> [45.143.222.115] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203089; rev:1;) alert tcp $HOME_NET any -> [185.140.53.161] 7266 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203090; rev:1;) alert tcp $HOME_NET any -> [80.249.146.101] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203091; rev:1;) alert tcp $HOME_NET any -> [87.255.6.145] 5123 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203092; rev:1;) alert tcp $HOME_NET any -> [45.142.213.203] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203093; rev:1;) alert tcp $HOME_NET any -> [188.68.221.13] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203094; rev:1;) alert tcp $HOME_NET any -> [79.141.166.200] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203095; rev:1;) alert tcp $HOME_NET any -> [117.199.6.72] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203096; rev:1;) alert tcp $HOME_NET any -> [8.208.28.166] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203097; rev:1;) alert tcp $HOME_NET any -> [45.143.138.16] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203098; rev:1;) alert tcp $HOME_NET any -> [45.55.60.31] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203099; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 21254 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203100; rev:1;) alert tcp $HOME_NET any -> [194.135.93.234] 1349 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203101; rev:1;) alert tcp $HOME_NET any -> [31.184.254.46] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203102; rev:1;) alert tcp $HOME_NET any -> [8.209.79.24] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203103; rev:1;) alert tcp $HOME_NET any -> [157.245.169.70] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203104; rev:1;) alert tcp $HOME_NET any -> [87.255.6.145] 2005 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203105; rev:1;) alert tcp $HOME_NET any -> [185.140.53.219] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203106; rev:1;) alert tcp $HOME_NET any -> [161.35.24.186] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203107; rev:1;) alert tcp $HOME_NET any -> [95.216.251.222] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203108; rev:1;) alert tcp $HOME_NET any -> [101.226.26.166] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203109; rev:1;) alert tcp $HOME_NET any -> [80.249.145.124] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203110; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 48736 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203111; rev:1;) alert tcp $HOME_NET any -> [178.62.15.225] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203112; rev:1;) alert tcp $HOME_NET any -> [205.185.125.93] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203113; rev:1;) alert tcp $HOME_NET any -> [5.149.253.194] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203114; rev:1;) alert tcp $HOME_NET any -> [31.184.254.232] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203115; rev:1;) alert tcp $HOME_NET any -> [84.38.183.210] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203116; rev:1;) alert tcp $HOME_NET any -> [146.0.72.182] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203117; rev:1;) alert tcp $HOME_NET any -> [8.210.77.76] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203118; rev:1;) alert tcp $HOME_NET any -> [8.208.101.150] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203119; rev:1;) alert tcp $HOME_NET any -> [84.38.180.104] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203120; rev:1;) alert tcp $HOME_NET any -> [79.134.225.12] 4567 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203121; rev:1;) alert tcp $HOME_NET any -> [194.5.98.129] 5554 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203122; rev:1;) alert tcp $HOME_NET any -> [195.2.93.77] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203123; rev:1;) alert tcp $HOME_NET any -> [82.148.28.9] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203124; rev:1;) alert tcp $HOME_NET any -> [195.2.93.77] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203125; rev:1;) alert tcp $HOME_NET any -> [66.165.246.89] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203126; rev:1;) alert tcp $HOME_NET any -> [185.49.68.151] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203127; rev:1;) alert tcp $HOME_NET any -> [185.159.82.226] 443 (msg:"SSLBL: Traffic to malicious host (likely Ostap C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203128; rev:1;) alert tcp $HOME_NET any -> [107.173.171.162] 1738 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203129; rev:1;) alert tcp $HOME_NET any -> [80.249.146.7] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203130; rev:1;) alert tcp $HOME_NET any -> [185.236.203.192] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203131; rev:1;) alert tcp $HOME_NET any -> [87.255.6.145] 2004 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203132; rev:1;) alert tcp $HOME_NET any -> [93.190.93.29] 4242 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203133; rev:1;) alert tcp $HOME_NET any -> [8.209.96.17] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203134; rev:1;) alert tcp $HOME_NET any -> [45.89.175.151] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203135; rev:1;) alert tcp $HOME_NET any -> [103.147.185.105] 9242 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203136; rev:1;) alert tcp $HOME_NET any -> [46.21.147.169] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203137; rev:1;) alert tcp $HOME_NET any -> [8.209.99.58] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203138; rev:1;) alert tcp $HOME_NET any -> [159.89.139.204] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203139; rev:1;) alert tcp $HOME_NET any -> [159.65.103.89] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203140; rev:1;) alert tcp $HOME_NET any -> [165.22.26.177] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203141; rev:1;) alert tcp $HOME_NET any -> [188.215.229.20] 22 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203142; rev:1;) alert tcp $HOME_NET any -> [103.151.125.141] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203143; rev:1;) alert tcp $HOME_NET any -> [80.249.146.29] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203144; rev:1;) alert tcp $HOME_NET any -> [84.38.180.239] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203145; rev:1;) alert tcp $HOME_NET any -> [38.68.50.180] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203146; rev:1;) alert tcp $HOME_NET any -> [167.71.0.179] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203147; rev:1;) alert tcp $HOME_NET any -> [138.197.144.19] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203148; rev:1;) alert tcp $HOME_NET any -> [185.140.53.129] 7776 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203149; rev:1;) alert tcp $HOME_NET any -> [217.29.53.4] 443 (msg:"SSLBL: Traffic to malicious host (likely FindPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203150; rev:1;) alert tcp $HOME_NET any -> [47.254.242.30] 443 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203151; rev:1;) alert tcp $HOME_NET any -> [141.255.158.51] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203152; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 21985 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203153; rev:1;) alert tcp $HOME_NET any -> [84.38.183.116] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203154; rev:1;) alert tcp $HOME_NET any -> [45.67.230.56] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203155; rev:1;) alert tcp $HOME_NET any -> [139.60.161.209] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203156; rev:1;) alert tcp $HOME_NET any -> [185.161.208.94] 2222 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203157; rev:1;) alert tcp $HOME_NET any -> [89.105.197.14] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203158; rev:1;) alert tcp $HOME_NET any -> [79.134.225.49] 6970 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203159; rev:1;) alert tcp $HOME_NET any -> [23.227.199.112] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203160; rev:1;) alert tcp $HOME_NET any -> [92.204.160.40] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203161; rev:1;) alert tcp $HOME_NET any -> [64.225.65.166] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203162; rev:1;) alert tcp $HOME_NET any -> [38.132.124.231] 443 (msg:"SSLBL: Traffic to malicious host (likely GuLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203163; rev:1;) alert tcp $HOME_NET any -> [149.255.35.163] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203164; rev:1;) alert tcp $HOME_NET any -> [185.236.201.102] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203165; rev:1;) alert tcp $HOME_NET any -> [68.235.48.108] 6250 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203166; rev:1;) alert tcp $HOME_NET any -> [161.35.197.114] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203167; rev:1;) alert tcp $HOME_NET any -> [192.210.237.74] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203168; rev:1;) alert tcp $HOME_NET any -> [185.244.30.180] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203169; rev:1;) alert tcp $HOME_NET any -> [102.130.119.183] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203170; rev:1;) alert tcp $HOME_NET any -> [80.249.147.57] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203171; rev:1;) alert tcp $HOME_NET any -> [45.67.228.170] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203172; rev:1;) alert tcp $HOME_NET any -> [102.130.119.184] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203173; rev:1;) alert tcp $HOME_NET any -> [3.124.197.215] 3333 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203174; rev:1;) alert tcp $HOME_NET any -> [109.230.215.25] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203175; rev:1;) alert tcp $HOME_NET any -> [91.211.246.72] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203176; rev:1;) alert tcp $HOME_NET any -> [93.190.93.152] 4242 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203177; rev:1;) alert tcp $HOME_NET any -> [89.105.194.243] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203178; rev:1;) alert tcp $HOME_NET any -> [139.60.161.57] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203179; rev:1;) alert tcp $HOME_NET any -> [5.101.50.87] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203180; rev:1;) alert tcp $HOME_NET any -> [80.249.146.100] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203181; rev:1;) alert tcp $HOME_NET any -> [80.249.146.100] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203182; rev:1;) alert tcp $HOME_NET any -> [185.140.53.41] 5288 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203183; rev:1;) alert tcp $HOME_NET any -> [45.89.175.161] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203184; rev:1;) alert tcp $HOME_NET any -> [79.134.225.111] 1501 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203185; rev:1;) alert tcp $HOME_NET any -> [45.147.231.75] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203186; rev:1;) alert tcp $HOME_NET any -> [185.80.128.174] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203187; rev:1;) alert tcp $HOME_NET any -> [199.188.206.68] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203188; rev:1;) alert tcp $HOME_NET any -> [37.221.113.68] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203189; rev:1;) alert tcp $HOME_NET any -> [85.17.26.178] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203190; rev:1;) alert tcp $HOME_NET any -> [84.38.183.227] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203191; rev:1;) alert tcp $HOME_NET any -> [84.38.183.227] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203192; rev:1;) alert tcp $HOME_NET any -> [46.102.153.39] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203193; rev:1;) alert tcp $HOME_NET any -> [185.80.128.112] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203194; rev:1;) alert tcp $HOME_NET any -> [121.42.15.110] 8081 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203195; rev:1;) alert tcp $HOME_NET any -> [23.94.54.199] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203196; rev:1;) alert tcp $HOME_NET any -> [47.53.137.56] 1606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203197; rev:1;) alert tcp $HOME_NET any -> [139.59.28.82] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203198; rev:1;) alert tcp $HOME_NET any -> [5.206.225.37] 5566 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203199; rev:1;) alert tcp $HOME_NET any -> [3.8.93.207] 1337 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203200; rev:1;) alert tcp $HOME_NET any -> [46.21.147.240] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203201; rev:1;) alert tcp $HOME_NET any -> [185.34.52.17] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203202; rev:1;) alert tcp $HOME_NET any -> [79.143.30.10] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203203; rev:1;) alert tcp $HOME_NET any -> [45.66.250.161] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203204; rev:1;) alert tcp $HOME_NET any -> [31.24.224.7] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203205; rev:1;) alert tcp $HOME_NET any -> [167.86.118.236] 1604 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203206; rev:1;) alert tcp $HOME_NET any -> [84.38.180.26] 443 (msg:"SSLBL: Traffic to malicious host (likely DanaBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203207; rev:1;) alert tcp $HOME_NET any -> [178.62.16.209] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203208; rev:1;) alert tcp $HOME_NET any -> [34.70.172.237] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203209; rev:1;) alert tcp $HOME_NET any -> [216.38.8.169] 8153 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203210; rev:1;) alert tcp $HOME_NET any -> [185.41.154.105] 587 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203211; rev:1;) alert tcp $HOME_NET any -> [198.27.105.164] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203212; rev:1;) alert tcp $HOME_NET any -> [185.200.241.77] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203213; rev:1;) alert tcp $HOME_NET any -> [172.104.163.228] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203214; rev:1;) alert tcp $HOME_NET any -> [185.244.30.202] 2243 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203215; rev:1;) alert tcp $HOME_NET any -> [185.80.129.128] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203216; rev:1;) alert tcp $HOME_NET any -> [79.134.225.47] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203217; rev:1;) alert tcp $HOME_NET any -> [45.11.18.76] 5095 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203218; rev:1;) alert tcp $HOME_NET any -> [5.39.218.178] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203219; rev:1;) alert tcp $HOME_NET any -> [38.132.99.162] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203220; rev:1;) alert tcp $HOME_NET any -> [67.43.239.171] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203221; rev:1;) alert tcp $HOME_NET any -> [37.228.116.200] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203222; rev:1;) alert tcp $HOME_NET any -> [45.58.139.101] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203223; rev:1;) alert tcp $HOME_NET any -> [89.33.246.76] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203224; rev:1;) alert tcp $HOME_NET any -> [91.193.75.163] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203225; rev:1;) alert tcp $HOME_NET any -> [176.123.7.111] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203226; rev:1;) alert tcp $HOME_NET any -> [172.105.52.39] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203227; rev:1;) alert tcp $HOME_NET any -> [185.236.202.149] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203228; rev:1;) alert tcp $HOME_NET any -> [192.188.88.247] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203229; rev:1;) alert tcp $HOME_NET any -> [64.251.28.62] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203230; rev:1;) alert tcp $HOME_NET any -> [91.193.75.145] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203231; rev:1;) alert tcp $HOME_NET any -> [185.34.52.7] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203232; rev:1;) alert tcp $HOME_NET any -> [193.56.28.11] 7870 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203233; rev:1;) alert tcp $HOME_NET any -> [149.255.35.139] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203234; rev:1;) alert tcp $HOME_NET any -> [149.255.35.159] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203235; rev:1;) alert tcp $HOME_NET any -> [94.158.245.4] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203236; rev:1;) alert tcp $HOME_NET any -> [38.68.46.160] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203237; rev:1;) alert tcp $HOME_NET any -> [142.202.190.47] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203238; rev:1;) alert tcp $HOME_NET any -> [185.225.19.97] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203239; rev:1;) alert tcp $HOME_NET any -> [13.82.28.199] 4782 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203240; rev:1;) alert tcp $HOME_NET any -> [80.209.241.84] 56789 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203241; rev:1;) alert tcp $HOME_NET any -> [142.202.188.195] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203242; rev:1;) alert tcp $HOME_NET any -> [5.39.221.45] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203243; rev:1;) alert tcp $HOME_NET any -> [79.134.225.71] 2786 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203244; rev:1;) alert tcp $HOME_NET any -> [165.227.198.46] 443 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203245; rev:1;) alert tcp $HOME_NET any -> [91.218.66.231] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203246; rev:1;) alert tcp $HOME_NET any -> [139.60.161.95] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203247; rev:1;) alert tcp $HOME_NET any -> [46.17.98.48] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203248; rev:1;) alert tcp $HOME_NET any -> [47.241.116.77] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203249; rev:1;) alert tcp $HOME_NET any -> [23.254.229.35] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203250; rev:1;) alert tcp $HOME_NET any -> [5.39.221.50] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203251; rev:1;) alert tcp $HOME_NET any -> [45.32.128.100] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203252; rev:1;) alert tcp $HOME_NET any -> [142.202.188.216] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203253; rev:1;) alert tcp $HOME_NET any -> [167.114.12.200] 443 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203254; rev:1;) alert tcp $HOME_NET any -> [89.163.245.168] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203255; rev:1;) alert tcp $HOME_NET any -> [89.163.253.225] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203256; rev:1;) alert tcp $HOME_NET any -> [95.174.65.212] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203257; rev:1;) alert tcp $HOME_NET any -> [46.183.222.49] 6689 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203258; rev:1;) alert tcp $HOME_NET any -> [46.21.150.151] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203259; rev:1;) alert tcp $HOME_NET any -> [79.134.225.70] 2321 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203260; rev:1;) alert tcp $HOME_NET any -> [8.209.74.159] 443 (msg:"SSLBL: Traffic to malicious host (likely DanaBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203261; rev:1;) alert tcp $HOME_NET any -> [185.244.29.203] 9980 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203262; rev:1;) alert tcp $HOME_NET any -> [86.106.20.175] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203263; rev:1;) alert tcp $HOME_NET any -> [172.241.27.37] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203264; rev:1;) alert tcp $HOME_NET any -> [91.132.139.214] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203265; rev:1;) alert tcp $HOME_NET any -> [149.255.36.132] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203266; rev:1;) alert tcp $HOME_NET any -> [91.193.75.7] 1199 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203267; rev:1;) alert tcp $HOME_NET any -> [185.244.30.202] 1139 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203268; rev:1;) alert tcp $HOME_NET any -> [24.185.111.219] 54455 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203269; rev:1;) alert tcp $HOME_NET any -> [54.36.17.100] 5060 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203270; rev:1;) alert tcp $HOME_NET any -> [8.208.9.171] 443 (msg:"SSLBL: Traffic to malicious host (likely DanaBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203271; rev:1;) alert tcp $HOME_NET any -> [190.213.78.26] 5000 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203272; rev:1;) alert tcp $HOME_NET any -> [79.134.225.82] 2556 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203273; rev:1;) alert tcp $HOME_NET any -> [178.170.138.217] 3097 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203274; rev:1;) alert tcp $HOME_NET any -> [212.8.247.62] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203275; rev:1;) alert tcp $HOME_NET any -> [114.67.122.133] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203276; rev:1;) alert tcp $HOME_NET any -> [83.11.66.225] 1080 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203277; rev:1;) alert tcp $HOME_NET any -> [103.147.184.237] 5010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203278; rev:1;) alert tcp $HOME_NET any -> [91.218.66.231] 18888 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203279; rev:1;) alert tcp $HOME_NET any -> [79.134.225.102] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203280; rev:1;) alert tcp $HOME_NET any -> [47.106.209.173] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203281; rev:1;) alert tcp $HOME_NET any -> [37.120.140.133] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203282; rev:1;) alert tcp $HOME_NET any -> [91.193.75.172] 6970 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203283; rev:1;) alert tcp $HOME_NET any -> [203.205.224.29] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203284; rev:1;) alert tcp $HOME_NET any -> [24.31.167.44] 4444 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203285; rev:1;) alert tcp $HOME_NET any -> [185.163.45.109] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203286; rev:1;) alert tcp $HOME_NET any -> [91.92.144.29] 2088 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203287; rev:1;) alert tcp $HOME_NET any -> [47.241.2.255] 443 (msg:"SSLBL: Traffic to malicious host (likely DanaBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203288; rev:1;) alert tcp $HOME_NET any -> [45.32.128.117] 443 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203289; rev:1;) alert tcp $HOME_NET any -> [185.80.130.173] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203290; rev:1;) alert tcp $HOME_NET any -> [194.5.97.223] 6204 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203291; rev:1;) alert tcp $HOME_NET any -> [41.96.194.11] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203292; rev:1;) alert tcp $HOME_NET any -> [185.140.53.154] 2556 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203293; rev:1;) alert tcp $HOME_NET any -> [41.96.193.66] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203294; rev:1;) alert tcp $HOME_NET any -> [185.244.29.129] 9980 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203295; rev:1;) alert tcp $HOME_NET any -> [185.236.202.192] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203296; rev:1;) alert tcp $HOME_NET any -> [120.132.81.251] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203297; rev:1;) alert tcp $HOME_NET any -> [193.56.28.20] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203298; rev:1;) alert tcp $HOME_NET any -> [121.140.64.142] 1002 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203299; rev:1;) alert tcp $HOME_NET any -> [92.241.100.83] 25530 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203300; rev:1;) alert tcp $HOME_NET any -> [41.96.30.85] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203301; rev:1;) alert tcp $HOME_NET any -> [198.50.252.26] 1980 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203302; rev:1;) alert tcp $HOME_NET any -> [181.52.111.181] 8015 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203303; rev:1;) alert tcp $HOME_NET any -> [139.60.161.228] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203304; rev:1;) alert tcp $HOME_NET any -> [217.8.117.41] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203305; rev:1;) alert tcp $HOME_NET any -> [68.235.48.108] 6532 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203306; rev:1;) alert tcp $HOME_NET any -> [104.244.74.228] 7866 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203307; rev:1;) alert tcp $HOME_NET any -> [62.108.37.207] 5252 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203308; rev:1;) alert tcp $HOME_NET any -> [89.182.81.9] 3602 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203309; rev:1;) alert tcp $HOME_NET any -> [194.5.99.111] 17175 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203310; rev:1;) alert tcp $HOME_NET any -> [84.201.188.25] 7007 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203311; rev:1;) alert tcp $HOME_NET any -> [62.108.37.207] 5858 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203312; rev:1;) alert tcp $HOME_NET any -> [64.79.67.69] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203313; rev:1;) alert tcp $HOME_NET any -> [185.163.45.85] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203314; rev:1;) alert tcp $HOME_NET any -> [134.122.98.82] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203315; rev:1;) alert tcp $HOME_NET any -> [172.105.75.242] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203316; rev:1;) alert tcp $HOME_NET any -> [80.83.26.131] 66 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203317; rev:1;) alert tcp $HOME_NET any -> [84.51.52.166] 1002 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203318; rev:1;) alert tcp $HOME_NET any -> [91.211.245.161] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203319; rev:1;) alert tcp $HOME_NET any -> [193.37.214.127] 8891 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203320; rev:1;) alert tcp $HOME_NET any -> [103.147.184.237] 6060 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203321; rev:1;) alert tcp $HOME_NET any -> [8.208.83.31] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203322; rev:1;) alert tcp $HOME_NET any -> [79.134.225.70] 2333 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203323; rev:1;) alert tcp $HOME_NET any -> [41.96.152.168] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203324; rev:1;) alert tcp $HOME_NET any -> [5.45.71.35] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203325; rev:1;) alert tcp $HOME_NET any -> [185.70.184.82] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203326; rev:1;) alert tcp $HOME_NET any -> [62.108.37.206] 6060 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203327; rev:1;) alert tcp $HOME_NET any -> [91.132.139.206] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203328; rev:1;) alert tcp $HOME_NET any -> [185.163.45.194] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203329; rev:1;) alert tcp $HOME_NET any -> [91.193.75.9] 2487 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203330; rev:1;) alert tcp $HOME_NET any -> [101.89.125.173] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203331; rev:1;) alert tcp $HOME_NET any -> [139.99.122.112] 62 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203332; rev:1;) alert tcp $HOME_NET any -> [104.198.206.229] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203333; rev:1;) alert tcp $HOME_NET any -> [88.198.77.224] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203334; rev:1;) alert tcp $HOME_NET any -> [198.27.77.206] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203335; rev:1;) alert tcp $HOME_NET any -> [102.130.119.142] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203336; rev:1;) alert tcp $HOME_NET any -> [185.140.53.15] 7061 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203337; rev:1;) alert tcp $HOME_NET any -> [161.35.38.118] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203338; rev:1;) alert tcp $HOME_NET any -> [93.190.93.35] 5858 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203339; rev:1;) alert tcp $HOME_NET any -> [107.175.144.243] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203340; rev:1;) alert tcp $HOME_NET any -> [79.134.225.112] 37375 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203341; rev:1;) alert tcp $HOME_NET any -> [139.28.222.104] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203342; rev:1;) alert tcp $HOME_NET any -> [185.80.128.170] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203343; rev:1;) alert tcp $HOME_NET any -> [173.234.155.34] 6060 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203344; rev:1;) alert tcp $HOME_NET any -> [78.217.163.197] 1117 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203345; rev:1;) alert tcp $HOME_NET any -> [185.212.148.63] 1604 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203346; rev:1;) alert tcp $HOME_NET any -> [64.225.101.88] 443 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203347; rev:1;) alert tcp $HOME_NET any -> [185.165.153.215] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203348; rev:1;) alert tcp $HOME_NET any -> [185.165.153.215] 6606 (msg:"SSLBL: Traffic to malicious host (likely RevengeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203349; rev:1;) alert tcp $HOME_NET any -> [82.208.161.228] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203350; rev:1;) alert tcp $HOME_NET any -> [194.113.235.106] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203351; rev:1;) alert tcp $HOME_NET any -> [185.14.31.168] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203352; rev:1;) alert tcp $HOME_NET any -> [79.134.225.100] 45678 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203353; rev:1;) alert tcp $HOME_NET any -> [180.214.236.107] 6590 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203354; rev:1;) alert tcp $HOME_NET any -> [95.217.81.68] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203355; rev:1;) alert tcp $HOME_NET any -> [182.190.24.221] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203356; rev:1;) alert tcp $HOME_NET any -> [83.97.20.125] 442 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203357; rev:1;) alert tcp $HOME_NET any -> [161.117.87.168] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203358; rev:1;) alert tcp $HOME_NET any -> [104.248.138.198] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203359; rev:1;) alert tcp $HOME_NET any -> [34.222.222.126] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203360; rev:1;) alert tcp $HOME_NET any -> [91.193.75.49] 1952 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203361; rev:1;) alert tcp $HOME_NET any -> [51.15.21.149] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203362; rev:1;) alert tcp $HOME_NET any -> [103.242.134.79] 43 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203363; rev:1;) alert tcp $HOME_NET any -> [45.147.201.55] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203364; rev:1;) alert tcp $HOME_NET any -> [212.114.52.236] 9932 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203365; rev:1;) alert tcp $HOME_NET any -> [64.227.8.3] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203366; rev:1;) alert tcp $HOME_NET any -> [46.183.221.30] 6434 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203367; rev:1;) alert tcp $HOME_NET any -> [172.94.18.253] 6699 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203368; rev:1;) alert tcp $HOME_NET any -> [77.30.145.48] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203369; rev:1;) alert tcp $HOME_NET any -> [23.108.57.5] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203370; rev:1;) alert tcp $HOME_NET any -> [178.48.154.38] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203371; rev:1;) alert tcp $HOME_NET any -> [31.184.253.197] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203372; rev:1;) alert tcp $HOME_NET any -> [172.104.239.228] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203373; rev:1;) alert tcp $HOME_NET any -> [178.79.158.245] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203374; rev:1;) alert tcp $HOME_NET any -> [91.201.175.46] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203375; rev:1;) alert tcp $HOME_NET any -> [5.56.73.146] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203376; rev:1;) alert tcp $HOME_NET any -> [185.244.29.175] 7071 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203377; rev:1;) alert tcp $HOME_NET any -> [178.238.8.102] 8855 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203378; rev:1;) alert tcp $HOME_NET any -> [23.227.196.15] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203379; rev:1;) alert tcp $HOME_NET any -> [8.208.80.205] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203380; rev:1;) alert tcp $HOME_NET any -> [8.208.80.205] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203381; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 44137 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203382; rev:1;) alert tcp $HOME_NET any -> [185.140.53.161] 20982 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203383; rev:1;) alert tcp $HOME_NET any -> [194.5.97.75] 20987 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203384; rev:1;) alert tcp $HOME_NET any -> [80.83.26.132] 66 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203385; rev:1;) alert tcp $HOME_NET any -> [84.211.45.238] 1085 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203386; rev:1;) alert tcp $HOME_NET any -> [174.138.59.117] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203387; rev:1;) alert tcp $HOME_NET any -> [185.140.53.92] 2512 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203388; rev:1;) alert tcp $HOME_NET any -> [134.209.172.216] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203389; rev:1;) alert tcp $HOME_NET any -> [190.84.167.48] 1881 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203390; rev:1;) alert tcp $HOME_NET any -> [83.11.162.79] 1080 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203391; rev:1;) alert tcp $HOME_NET any -> [79.134.225.111] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203392; rev:1;) alert tcp $HOME_NET any -> [88.218.16.218] 443 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203393; rev:1;) alert tcp $HOME_NET any -> [144.217.211.203] 6714 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203394; rev:1;) alert tcp $HOME_NET any -> [194.5.97.14] 6204 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203395; rev:1;) alert tcp $HOME_NET any -> [104.237.252.50] 443 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203396; rev:1;) alert tcp $HOME_NET any -> [194.5.97.14] 7201 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203397; rev:1;) alert tcp $HOME_NET any -> [85.74.134.20] 4782 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203398; rev:1;) alert tcp $HOME_NET any -> [194.5.97.23] 7201 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203399; rev:1;) alert tcp $HOME_NET any -> [45.32.167.239] 6606 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203400; rev:1;) alert tcp $HOME_NET any -> [185.244.29.134] 7201 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203401; rev:1;) alert tcp $HOME_NET any -> [5.181.156.5] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203402; rev:1;) alert tcp $HOME_NET any -> [5.181.156.5] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203403; rev:1;) alert tcp $HOME_NET any -> [45.153.240.114] 5858 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203404; rev:1;) alert tcp $HOME_NET any -> [192.253.255.182] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203405; rev:1;) alert tcp $HOME_NET any -> [91.218.65.24] 8808 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203406; rev:1;) alert tcp $HOME_NET any -> [194.5.97.58] 20909 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203407; rev:1;) alert tcp $HOME_NET any -> [185.244.29.214] 7201 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203408; rev:1;) alert tcp $HOME_NET any -> [185.140.53.190] 586 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203409; rev:1;) alert tcp $HOME_NET any -> [3.17.10.122] 8780 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203410; rev:1;) alert tcp $HOME_NET any -> [94.239.225.11] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203411; rev:1;) alert tcp $HOME_NET any -> [185.140.53.175] 20209 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203412; rev:1;) alert tcp $HOME_NET any -> [194.5.97.75] 20982 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203413; rev:1;) alert tcp $HOME_NET any -> [194.5.97.120] 20986 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203414; rev:1;) alert tcp $HOME_NET any -> [185.140.53.161] 29060 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203415; rev:1;) alert tcp $HOME_NET any -> [46.183.221.31] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203416; rev:1;) alert tcp $HOME_NET any -> [185.140.53.196] 5679 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203417; rev:1;) alert tcp $HOME_NET any -> [185.244.30.71] 8364 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203418; rev:1;) alert tcp $HOME_NET any -> [46.17.96.46] 443 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203419; rev:1;) alert tcp $HOME_NET any -> [45.125.239.247] 6204 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203420; rev:1;) alert tcp $HOME_NET any -> [5.45.68.15] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203421; rev:1;) alert tcp $HOME_NET any -> [83.11.89.28] 1080 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203422; rev:1;) alert tcp $HOME_NET any -> [185.225.17.61] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203423; rev:1;) alert tcp $HOME_NET any -> [8.208.89.223] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203424; rev:1;) alert tcp $HOME_NET any -> [77.247.127.128] 8855 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203425; rev:1;) alert tcp $HOME_NET any -> [176.31.26.213] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203426; rev:1;) alert tcp $HOME_NET any -> [176.31.26.213] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203427; rev:1;) alert tcp $HOME_NET any -> [169.255.59.15] 443 (msg:"SSLBL: Traffic to malicious host (likely Loki C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203428; rev:1;) alert tcp $HOME_NET any -> [143.204.201.33] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203429; rev:1;) alert tcp $HOME_NET any -> [216.170.125.102] 3582 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203430; rev:1;) alert tcp $HOME_NET any -> [217.146.88.66] 9340 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203431; rev:1;) alert tcp $HOME_NET any -> [91.211.246.148] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203432; rev:1;) alert tcp $HOME_NET any -> [188.130.138.126] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203433; rev:1;) alert tcp $HOME_NET any -> [185.140.53.49] 1384 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203434; rev:1;) alert tcp $HOME_NET any -> [45.125.239.219] 6204 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203435; rev:1;) alert tcp $HOME_NET any -> [185.140.53.16] 6403 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203436; rev:1;) alert tcp $HOME_NET any -> [47.89.208.216] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203437; rev:1;) alert tcp $HOME_NET any -> [157.245.11.146] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203438; rev:1;) alert tcp $HOME_NET any -> [43.226.229.97] 8088 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203439; rev:1;) alert tcp $HOME_NET any -> [84.16.248.160] 443 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203440; rev:1;) alert tcp $HOME_NET any -> [93.190.93.23] 8077 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203441; rev:1;) alert tcp $HOME_NET any -> [185.140.53.55] 4040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203442; rev:1;) alert tcp $HOME_NET any -> [149.56.234.156] 1485 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203443; rev:1;) alert tcp $HOME_NET any -> [46.29.165.151] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203444; rev:1;) alert tcp $HOME_NET any -> [91.210.169.101] 6404 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203445; rev:1;) alert tcp $HOME_NET any -> [185.140.53.55] 5541 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203446; rev:1;) alert tcp $HOME_NET any -> [207.246.95.196] 443 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203447; rev:1;) alert tcp $HOME_NET any -> [51.89.201.48] 7866 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203448; rev:1;) alert tcp $HOME_NET any -> [185.140.53.53] 1050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203449; rev:1;) alert tcp $HOME_NET any -> [91.193.75.249] 4590 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203450; rev:1;) alert tcp $HOME_NET any -> [91.193.75.54] 3421 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203451; rev:1;) alert tcp $HOME_NET any -> [89.238.181.103] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203452; rev:1;) alert tcp $HOME_NET any -> [185.225.17.254] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203453; rev:1;) alert tcp $HOME_NET any -> [84.51.52.166] 82 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203454; rev:1;) alert tcp $HOME_NET any -> [45.95.168.130] 2001 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203455; rev:1;) alert tcp $HOME_NET any -> [8.209.77.210] 443 (msg:"SSLBL: Traffic to malicious host (likely DanaBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203456; rev:1;) alert tcp $HOME_NET any -> [103.147.185.179] 5891 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203457; rev:1;) alert tcp $HOME_NET any -> [103.114.105.3] 8780 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203458; rev:1;) alert tcp $HOME_NET any -> [188.130.138.125] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203459; rev:1;) alert tcp $HOME_NET any -> [103.133.107.247] 3310 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203460; rev:1;) alert tcp $HOME_NET any -> [103.141.137.242] 5454 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203461; rev:1;) alert tcp $HOME_NET any -> [161.117.227.195] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203462; rev:1;) alert tcp $HOME_NET any -> [45.129.2.240] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203463; rev:1;) alert tcp $HOME_NET any -> [109.248.11.25] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203464; rev:1;) alert tcp $HOME_NET any -> [103.147.185.179] 5890 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203465; rev:1;) alert tcp $HOME_NET any -> [103.99.1.76] 9087 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203466; rev:1;) alert tcp $HOME_NET any -> [103.125.190.243] 8965 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203467; rev:1;) alert tcp $HOME_NET any -> [119.28.159.130] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203468; rev:1;) alert tcp $HOME_NET any -> [45.125.239.120] 6204 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203469; rev:1;) alert tcp $HOME_NET any -> [45.140.168.169] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203470; rev:1;) alert tcp $HOME_NET any -> [88.119.175.105] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203471; rev:1;) alert tcp $HOME_NET any -> [178.124.140.144] 7866 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203472; rev:1;) alert tcp $HOME_NET any -> [216.38.2.208] 1050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203473; rev:1;) alert tcp $HOME_NET any -> [46.29.167.45] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203474; rev:1;) alert tcp $HOME_NET any -> [105.103.91.155] 5552 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203475; rev:1;) alert tcp $HOME_NET any -> [139.60.161.88] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203476; rev:1;) alert tcp $HOME_NET any -> [37.48.92.195] 6025 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203477; rev:1;) alert tcp $HOME_NET any -> [45.125.239.253] 6204 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203478; rev:1;) alert tcp $HOME_NET any -> [141.255.156.106] 6606 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203479; rev:1;) alert tcp $HOME_NET any -> [95.211.140.160] 8514 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203480; rev:1;) alert tcp $HOME_NET any -> [45.125.239.50] 10134 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203481; rev:1;) alert tcp $HOME_NET any -> [185.141.61.237] 1010 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203482; rev:1;) alert tcp $HOME_NET any -> [78.108.185.203] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203483; rev:1;) alert tcp $HOME_NET any -> [31.49.13.58] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203484; rev:1;) alert tcp $HOME_NET any -> [89.33.246.107] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203485; rev:1;) alert tcp $HOME_NET any -> [77.48.28.231] 2424 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203486; rev:1;) alert tcp $HOME_NET any -> [84.51.52.166] 2 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203487; rev:1;) alert tcp $HOME_NET any -> [84.51.52.166] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203488; rev:1;) alert tcp $HOME_NET any -> [176.32.35.108] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203489; rev:1;) alert tcp $HOME_NET any -> [45.147.229.106] 8720 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203490; rev:1;) alert tcp $HOME_NET any -> [91.218.65.24] 6178 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203491; rev:1;) alert tcp $HOME_NET any -> [91.218.65.24] 7777 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203492; rev:1;) alert tcp $HOME_NET any -> [84.51.52.166] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203493; rev:1;) alert tcp $HOME_NET any -> [37.72.175.199] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203494; rev:1;) alert tcp $HOME_NET any -> [69.133.56.83] 444 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203495; rev:1;) alert tcp $HOME_NET any -> [41.103.199.216] 1337 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203496; rev:1;) alert tcp $HOME_NET any -> [176.57.215.142] 443 (msg:"SSLBL: Traffic to malicious host (likely KPOTStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203497; rev:1;) alert tcp $HOME_NET any -> [184.164.139.226] 2020 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203498; rev:1;) alert tcp $HOME_NET any -> [5.188.9.76] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203499; rev:1;) alert tcp $HOME_NET any -> [51.75.154.242] 1515 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203500; rev:1;) alert tcp $HOME_NET any -> [37.228.132.241] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203501; rev:1;) alert tcp $HOME_NET any -> [185.101.93.249] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203502; rev:1;) alert tcp $HOME_NET any -> [195.69.187.142] 443 (msg:"SSLBL: Traffic to malicious host (likely FindPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203503; rev:1;) alert tcp $HOME_NET any -> [192.95.20.152] 443 (msg:"SSLBL: Traffic to malicious host (likely BlueBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203504; rev:1;) alert tcp $HOME_NET any -> [46.17.47.168] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203505; rev:1;) alert tcp $HOME_NET any -> [195.123.224.47] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203506; rev:1;) alert tcp $HOME_NET any -> [185.140.53.235] 3030 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203507; rev:1;) alert tcp $HOME_NET any -> [47.74.63.135] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203508; rev:1;) alert tcp $HOME_NET any -> [8.208.28.247] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203509; rev:1;) alert tcp $HOME_NET any -> [93.190.93.212] 8890 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203510; rev:1;) alert tcp $HOME_NET any -> [185.140.53.175] 20804 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203511; rev:1;) alert tcp $HOME_NET any -> [192.227.231.18] 1921 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203512; rev:1;) alert tcp $HOME_NET any -> [185.244.30.165] 3434 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203513; rev:1;) alert tcp $HOME_NET any -> [46.29.167.29] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203514; rev:1;) alert tcp $HOME_NET any -> [91.193.75.143] 2128 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203515; rev:1;) alert tcp $HOME_NET any -> [46.21.147.46] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203516; rev:1;) alert tcp $HOME_NET any -> [37.221.114.88] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203517; rev:1;) alert tcp $HOME_NET any -> [94.158.245.225] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203518; rev:1;) alert tcp $HOME_NET any -> [185.244.30.193] 6065 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203519; rev:1;) alert tcp $HOME_NET any -> [185.244.30.21] 3232 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203520; rev:1;) alert tcp $HOME_NET any -> [94.158.245.160] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203521; rev:1;) alert tcp $HOME_NET any -> [94.158.245.160] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203522; rev:1;) alert tcp $HOME_NET any -> [94.158.245.90] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203523; rev:1;) alert tcp $HOME_NET any -> [185.70.186.151] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203524; rev:1;) alert tcp $HOME_NET any -> [216.38.8.168] 3856 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203525; rev:1;) alert tcp $HOME_NET any -> [93.190.93.6] 5934 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203526; rev:1;) alert tcp $HOME_NET any -> [194.33.45.146] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203527; rev:1;) alert tcp $HOME_NET any -> [79.134.225.71] 3232 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203528; rev:1;) alert tcp $HOME_NET any -> [185.244.30.137] 3030 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203529; rev:1;) alert tcp $HOME_NET any -> [79.134.225.111] 20804 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203530; rev:1;) alert tcp $HOME_NET any -> [185.244.30.137] 9996 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203531; rev:1;) alert tcp $HOME_NET any -> [185.205.210.71] 2020 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203532; rev:1;) alert tcp $HOME_NET any -> [196.229.250.239] 3000 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203533; rev:1;) alert tcp $HOME_NET any -> [88.150.189.98] 1903 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203534; rev:1;) alert tcp $HOME_NET any -> [88.150.189.98] 9956 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203535; rev:1;) alert tcp $HOME_NET any -> [185.244.30.14] 1313 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203536; rev:1;) alert tcp $HOME_NET any -> [43.226.229.83] 8088 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203537; rev:1;) alert tcp $HOME_NET any -> [37.48.92.195] 4028 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203538; rev:1;) alert tcp $HOME_NET any -> [185.244.30.21] 2526 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203539; rev:1;) alert tcp $HOME_NET any -> [178.124.140.145] 1960 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203540; rev:1;) alert tcp $HOME_NET any -> [46.29.160.64] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203541; rev:1;) alert tcp $HOME_NET any -> [91.215.169.250] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203542; rev:1;) alert tcp $HOME_NET any -> [185.140.53.228] 20908 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203543; rev:1;) alert tcp $HOME_NET any -> [37.48.92.195] 2034 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203544; rev:1;) alert tcp $HOME_NET any -> [134.19.179.187] 32741 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203545; rev:1;) alert tcp $HOME_NET any -> [43.226.229.110] 8088 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203546; rev:1;) alert tcp $HOME_NET any -> [45.128.133.19] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203547; rev:1;) alert tcp $HOME_NET any -> [82.64.128.42] 5502 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203548; rev:1;) alert tcp $HOME_NET any -> [82.64.128.42] 5501 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203549; rev:1;) alert tcp $HOME_NET any -> [84.38.133.132] 3202 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203550; rev:1;) alert tcp $HOME_NET any -> [184.75.223.219] 32741 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203551; rev:1;) alert tcp $HOME_NET any -> [185.244.30.239] 2091 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203552; rev:1;) alert tcp $HOME_NET any -> [13.224.102.128] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203553; rev:1;) alert tcp $HOME_NET any -> [172.94.100.10] 8088 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203554; rev:1;) alert tcp $HOME_NET any -> [37.48.92.195] 2022 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203555; rev:1;) alert tcp $HOME_NET any -> [67.43.224.156] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203556; rev:1;) alert tcp $HOME_NET any -> [64.225.74.231] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203557; rev:1;) alert tcp $HOME_NET any -> [144.217.211.203] 1855 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203558; rev:1;) alert tcp $HOME_NET any -> [141.255.147.132] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203559; rev:1;) alert tcp $HOME_NET any -> [185.244.30.13] 7250 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203560; rev:1;) alert tcp $HOME_NET any -> [184.75.223.235] 3460 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203561; rev:1;) alert tcp $HOME_NET any -> [185.244.30.17] 1199 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203562; rev:1;) alert tcp $HOME_NET any -> [79.134.225.71] 5252 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203563; rev:1;) alert tcp $HOME_NET any -> [79.134.225.109] 4040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203564; rev:1;) alert tcp $HOME_NET any -> [69.65.7.136] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203565; rev:1;) alert tcp $HOME_NET any -> [79.134.225.101] 7872 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203566; rev:1;) alert tcp $HOME_NET any -> [79.134.225.10] 1199 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203567; rev:1;) alert tcp $HOME_NET any -> [79.134.225.99] 20901 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203568; rev:1;) alert tcp $HOME_NET any -> [198.46.141.251] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203569; rev:1;) alert tcp $HOME_NET any -> [128.199.57.93] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203570; rev:1;) alert tcp $HOME_NET any -> [193.37.213.157] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203571; rev:1;) alert tcp $HOME_NET any -> [47.252.2.199] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203572; rev:1;) alert tcp $HOME_NET any -> [168.235.111.253] 56453 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203573; rev:1;) alert tcp $HOME_NET any -> [185.136.163.128] 2020 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203574; rev:1;) alert tcp $HOME_NET any -> [60.51.99.42] 4424 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203575; rev:1;) alert tcp $HOME_NET any -> [212.114.52.84] 2803 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203576; rev:1;) alert tcp $HOME_NET any -> [185.140.53.60] 7071 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203577; rev:1;) alert tcp $HOME_NET any -> [185.243.242.116] 7766 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203578; rev:1;) alert tcp $HOME_NET any -> [111.90.142.123] 443 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203579; rev:1;) alert tcp $HOME_NET any -> [185.183.96.231] 443 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203580; rev:1;) alert tcp $HOME_NET any -> [176.31.88.148] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203581; rev:1;) alert tcp $HOME_NET any -> [185.205.209.223] 1020 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203582; rev:1;) alert tcp $HOME_NET any -> [95.213.195.71] 1788 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203583; rev:1;) alert tcp $HOME_NET any -> [79.134.225.29] 2128 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203584; rev:1;) alert tcp $HOME_NET any -> [79.134.225.5] 1369 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203585; rev:1;) alert tcp $HOME_NET any -> [37.72.175.233] 8080 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203586; rev:1;) alert tcp $HOME_NET any -> [185.203.236.236] 6874 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203587; rev:1;) alert tcp $HOME_NET any -> [142.44.253.233] 5050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203588; rev:1;) alert tcp $HOME_NET any -> [111.90.144.65] 443 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203589; rev:1;) alert tcp $HOME_NET any -> [198.54.115.114] 443 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203590; rev:1;) alert tcp $HOME_NET any -> [45.74.53.124] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203591; rev:1;) alert tcp $HOME_NET any -> [123.240.25.197] 1604 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203592; rev:1;) alert tcp $HOME_NET any -> [185.86.4.70] 4785 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203593; rev:1;) alert tcp $HOME_NET any -> [142.147.97.150] 6084 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203594; rev:1;) alert tcp $HOME_NET any -> [195.123.246.241] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203595; rev:1;) alert tcp $HOME_NET any -> [185.159.82.101] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203596; rev:1;) alert tcp $HOME_NET any -> [45.89.230.124] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203597; rev:1;) alert tcp $HOME_NET any -> [47.241.27.57] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203598; rev:1;) alert tcp $HOME_NET any -> [79.134.225.71] 2121 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203599; rev:1;) alert tcp $HOME_NET any -> [79.134.225.71] 2121 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203600; rev:1;) alert tcp $HOME_NET any -> [185.203.236.237] 6683 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203601; rev:1;) alert tcp $HOME_NET any -> [35.192.205.70] 6969 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203602; rev:1;) alert tcp $HOME_NET any -> [185.244.30.147] 4789 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203603; rev:1;) alert tcp $HOME_NET any -> [185.140.53.154] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203604; rev:1;) alert tcp $HOME_NET any -> [79.134.225.99] 20908 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203605; rev:1;) alert tcp $HOME_NET any -> [192.3.2.150] 5050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203606; rev:1;) alert tcp $HOME_NET any -> [79.134.225.97] 2016 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203607; rev:1;) alert tcp $HOME_NET any -> [185.244.30.154] 7201 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203608; rev:1;) alert tcp $HOME_NET any -> [46.183.223.29] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203609; rev:1;) alert tcp $HOME_NET any -> [118.100.66.100] 4424 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203610; rev:1;) alert tcp $HOME_NET any -> [95.213.195.71] 17171 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203611; rev:1;) alert tcp $HOME_NET any -> [79.186.190.12] 1080 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203612; rev:1;) alert tcp $HOME_NET any -> [185.98.87.192] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203613; rev:1;) alert tcp $HOME_NET any -> [212.162.150.118] 6874 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203614; rev:1;) alert tcp $HOME_NET any -> [46.17.47.64] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203615; rev:1;) alert tcp $HOME_NET any -> [45.147.200.7] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203616; rev:1;) alert tcp $HOME_NET any -> [46.21.144.10] 8080 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203617; rev:1;) alert tcp $HOME_NET any -> [193.37.213.56] 2040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203618; rev:1;) alert tcp $HOME_NET any -> [195.123.246.12] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203619; rev:1;) alert tcp $HOME_NET any -> [167.99.11.50] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203620; rev:1;) alert tcp $HOME_NET any -> [23.95.94.154] 5050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203621; rev:1;) alert tcp $HOME_NET any -> [91.189.180.195] 7618 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203622; rev:1;) alert tcp $HOME_NET any -> [193.37.213.56] 2030 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203623; rev:1;) alert tcp $HOME_NET any -> [37.120.140.165] 1030 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203624; rev:1;) alert tcp $HOME_NET any -> [185.154.21.193] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203625; rev:1;) alert tcp $HOME_NET any -> [45.66.250.112] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203626; rev:1;) alert tcp $HOME_NET any -> [82.118.22.9] 8085 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203627; rev:1;) alert tcp $HOME_NET any -> [210.183.117.215] 6124 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203628; rev:1;) alert tcp $HOME_NET any -> [193.32.188.136] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203629; rev:1;) alert tcp $HOME_NET any -> [193.37.213.42] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203630; rev:1;) alert tcp $HOME_NET any -> [62.108.37.42] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203631; rev:1;) alert tcp $HOME_NET any -> [175.141.217.222] 4424 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203632; rev:1;) alert tcp $HOME_NET any -> [45.140.169.211] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203633; rev:1;) alert tcp $HOME_NET any -> [47.245.30.255] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203634; rev:1;) alert tcp $HOME_NET any -> [149.167.94.36] 10196 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203635; rev:1;) alert tcp $HOME_NET any -> [23.81.246.113] 6059 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203636; rev:1;) alert tcp $HOME_NET any -> [139.99.122.112] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203637; rev:1;) alert tcp $HOME_NET any -> [190.97.162.37] 443 (msg:"SSLBL: Traffic to malicious host (likely PredatorStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203638; rev:1;) alert tcp $HOME_NET any -> [204.152.201.172] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203639; rev:1;) alert tcp $HOME_NET any -> [79.134.225.10] 6050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203640; rev:1;) alert tcp $HOME_NET any -> [94.158.245.193] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203641; rev:1;) alert tcp $HOME_NET any -> [94.158.245.180] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203642; rev:1;) alert tcp $HOME_NET any -> [185.225.17.227] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203643; rev:1;) alert tcp $HOME_NET any -> [93.190.93.25] 5050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203644; rev:1;) alert tcp $HOME_NET any -> [167.86.106.40] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203645; rev:1;) alert tcp $HOME_NET any -> [217.29.57.164] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203646; rev:1;) alert tcp $HOME_NET any -> [93.190.93.108] 5858 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203647; rev:1;) alert tcp $HOME_NET any -> [92.38.184.121] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203648; rev:1;) alert tcp $HOME_NET any -> [41.46.250.43] 8080 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203649; rev:1;) alert tcp $HOME_NET any -> [82.192.82.102] 5147 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203650; rev:1;) alert tcp $HOME_NET any -> [167.172.164.197] 8443 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203651; rev:1;) alert tcp $HOME_NET any -> [91.215.169.52] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203652; rev:1;) alert tcp $HOME_NET any -> [43.226.229.82] 5288 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203653; rev:1;) alert tcp $HOME_NET any -> [104.129.27.166] 5210 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203654; rev:1;) alert tcp $HOME_NET any -> [144.168.239.42] 5050 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203655; rev:1;) alert tcp $HOME_NET any -> [64.225.20.238] 2030 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203656; rev:1;) alert tcp $HOME_NET any -> [82.64.128.42] 6613 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203657; rev:1;) alert tcp $HOME_NET any -> [13.225.78.77] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203658; rev:1;) alert tcp $HOME_NET any -> [51.83.200.181] 1337 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203659; rev:1;) alert tcp $HOME_NET any -> [111.90.156.119] 443 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203660; rev:1;) alert tcp $HOME_NET any -> [217.146.88.175] 4040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203661; rev:1;) alert tcp $HOME_NET any -> [185.176.222.44] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203662; rev:1;) alert tcp $HOME_NET any -> [192.119.71.129] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203663; rev:1;) alert tcp $HOME_NET any -> [151.248.126.195] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203664; rev:1;) alert tcp $HOME_NET any -> [185.10.68.16] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203665; rev:1;) alert tcp $HOME_NET any -> [176.107.160.128] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203666; rev:1;) alert tcp $HOME_NET any -> [181.141.0.182] 1898 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203667; rev:1;) alert tcp $HOME_NET any -> [185.244.30.74] 6970 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203668; rev:1;) alert tcp $HOME_NET any -> [185.209.20.124] 1443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203669; rev:1;) alert tcp $HOME_NET any -> [115.134.230.49] 4424 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203670; rev:1;) alert tcp $HOME_NET any -> [95.211.140.172] 6687 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203671; rev:1;) alert tcp $HOME_NET any -> [108.62.141.34] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203672; rev:1;) alert tcp $HOME_NET any -> [82.64.128.42] 6617 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203673; rev:1;) alert tcp $HOME_NET any -> [193.164.150.97] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203674; rev:1;) alert tcp $HOME_NET any -> [185.158.154.218] 443 (msg:"SSLBL: Traffic to malicious host (likely FindPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203675; rev:1;) alert tcp $HOME_NET any -> [85.143.222.85] 443 (msg:"SSLBL: Traffic to malicious host (likely FindPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203676; rev:1;) alert tcp $HOME_NET any -> [47.244.208.18] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203677; rev:1;) alert tcp $HOME_NET any -> [91.215.169.244] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203678; rev:1;) alert tcp $HOME_NET any -> [91.215.169.244] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203679; rev:1;) alert tcp $HOME_NET any -> [176.107.160.70] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203680; rev:1;) alert tcp $HOME_NET any -> [176.107.160.70] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203681; rev:1;) alert tcp $HOME_NET any -> [178.124.140.143] 5888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203682; rev:1;) alert tcp $HOME_NET any -> [47.252.11.17] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203683; rev:1;) alert tcp $HOME_NET any -> [148.72.172.101] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203684; rev:1;) alert tcp $HOME_NET any -> [176.107.160.11] 443 (msg:"SSLBL: Traffic to malicious host (likely PredatorStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203685; rev:1;) alert tcp $HOME_NET any -> [190.211.254.23] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203686; rev:1;) alert tcp $HOME_NET any -> [111.90.156.123] 443 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203687; rev:1;) alert tcp $HOME_NET any -> [46.17.44.169] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203688; rev:1;) alert tcp $HOME_NET any -> [195.123.222.144] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203689; rev:1;) alert tcp $HOME_NET any -> [193.233.149.7] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203690; rev:1;) alert tcp $HOME_NET any -> [193.233.149.7] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203691; rev:1;) alert tcp $HOME_NET any -> [188.127.230.203] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203692; rev:1;) alert tcp $HOME_NET any -> [49.51.136.157] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203693; rev:1;) alert tcp $HOME_NET any -> [46.166.173.155] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203694; rev:1;) alert tcp $HOME_NET any -> [5.63.154.250] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203695; rev:1;) alert tcp $HOME_NET any -> [95.217.17.191] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203696; rev:1;) alert tcp $HOME_NET any -> [209.127.19.34] 443 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203697; rev:1;) alert tcp $HOME_NET any -> [134.0.118.45] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203698; rev:1;) alert tcp $HOME_NET any -> [216.170.126.139] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203699; rev:1;) alert tcp $HOME_NET any -> [45.139.186.90] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203700; rev:1;) alert tcp $HOME_NET any -> [45.143.138.19] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203701; rev:1;) alert tcp $HOME_NET any -> [144.202.5.143] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203702; rev:1;) alert tcp $HOME_NET any -> [179.155.124.71] 15000 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203703; rev:1;) alert tcp $HOME_NET any -> [62.108.37.11] 5252 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203704; rev:1;) alert tcp $HOME_NET any -> [192.3.2.152] 5050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203705; rev:1;) alert tcp $HOME_NET any -> [216.218.185.162] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203706; rev:1;) alert tcp $HOME_NET any -> [45.128.184.104] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203707; rev:1;) alert tcp $HOME_NET any -> [80.85.158.73] 7768 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203708; rev:1;) alert tcp $HOME_NET any -> [185.205.209.194] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203709; rev:1;) alert tcp $HOME_NET any -> [185.163.47.156] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203710; rev:1;) alert tcp $HOME_NET any -> [49.51.154.98] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203711; rev:1;) alert tcp $HOME_NET any -> [46.29.164.152] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203712; rev:1;) alert tcp $HOME_NET any -> [194.127.179.82] 7575 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203713; rev:1;) alert tcp $HOME_NET any -> [79.174.13.19] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203714; rev:1;) alert tcp $HOME_NET any -> [109.248.222.22] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203715; rev:1;) alert tcp $HOME_NET any -> [45.143.138.27] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203716; rev:1;) alert tcp $HOME_NET any -> [45.143.138.27] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203717; rev:1;) alert tcp $HOME_NET any -> [37.252.1.57] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203718; rev:1;) alert tcp $HOME_NET any -> [188.120.241.68] 443 (msg:"SSLBL: Traffic to malicious host (likely PredatorStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203719; rev:1;) alert tcp $HOME_NET any -> [188.127.227.76] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203720; rev:1;) alert tcp $HOME_NET any -> [95.169.181.90] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203721; rev:1;) alert tcp $HOME_NET any -> [194.58.98.72] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203722; rev:1;) alert tcp $HOME_NET any -> [45.129.2.228] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203723; rev:1;) alert tcp $HOME_NET any -> [176.103.62.240] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203724; rev:1;) alert tcp $HOME_NET any -> [37.48.83.137] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203725; rev:1;) alert tcp $HOME_NET any -> [141.255.154.30] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203726; rev:1;) alert tcp $HOME_NET any -> [45.72.3.132] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203727; rev:1;) alert tcp $HOME_NET any -> [194.67.105.88] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203728; rev:1;) alert tcp $HOME_NET any -> [66.154.97.151] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203729; rev:1;) alert tcp $HOME_NET any -> [198.54.125.162] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203730; rev:1;) alert tcp $HOME_NET any -> [108.174.198.213] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203731; rev:1;) alert tcp $HOME_NET any -> [185.189.68.74] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203732; rev:1;) alert tcp $HOME_NET any -> [95.217.99.22] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203733; rev:1;) alert tcp $HOME_NET any -> [95.211.170.231] 1991 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203734; rev:1;) alert tcp $HOME_NET any -> [185.48.56.111] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203735; rev:1;) alert tcp $HOME_NET any -> [69.30.240.82] 4358 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203736; rev:1;) alert tcp $HOME_NET any -> [103.133.109.147] 4434 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203737; rev:1;) alert tcp $HOME_NET any -> [176.10.124.134] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203738; rev:1;) alert tcp $HOME_NET any -> [195.19.192.46] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203739; rev:1;) alert tcp $HOME_NET any -> [45.86.182.200] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203740; rev:1;) alert tcp $HOME_NET any -> [45.137.22.45] 50572 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203741; rev:1;) alert tcp $HOME_NET any -> [45.80.69.34] 443 (msg:"SSLBL: Traffic to malicious host (likely CobInt C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203742; rev:1;) alert tcp $HOME_NET any -> [174.127.99.243] 5888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203743; rev:1;) alert tcp $HOME_NET any -> [185.202.174.36] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203744; rev:1;) alert tcp $HOME_NET any -> [188.225.38.98] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203745; rev:1;) alert tcp $HOME_NET any -> [62.76.179.117] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203746; rev:1;) alert tcp $HOME_NET any -> [188.225.26.26] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203747; rev:1;) alert tcp $HOME_NET any -> [45.140.168.244] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203748; rev:1;) alert tcp $HOME_NET any -> [46.17.45.99] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203749; rev:1;) alert tcp $HOME_NET any -> [185.140.53.217] 5541 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203750; rev:1;) alert tcp $HOME_NET any -> [176.53.163.150] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203751; rev:1;) alert tcp $HOME_NET any -> [172.247.227.11] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203752; rev:1;) alert tcp $HOME_NET any -> [31.192.109.47] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203753; rev:1;) alert tcp $HOME_NET any -> [185.244.30.244] 2211 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203754; rev:1;) alert tcp $HOME_NET any -> [104.27.181.27] 443 (msg:"SSLBL: Traffic to malicious host (likely PredatorStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203755; rev:1;) alert tcp $HOME_NET any -> [79.134.225.82] 1112 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203756; rev:1;) alert tcp $HOME_NET any -> [185.140.53.217] 2002 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203757; rev:1;) alert tcp $HOME_NET any -> [37.48.92.195] 1786 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203758; rev:1;) alert tcp $HOME_NET any -> [45.143.138.20] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203759; rev:1;) alert tcp $HOME_NET any -> [37.48.94.115] 1989 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203760; rev:1;) alert tcp $HOME_NET any -> [193.233.78.25] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203761; rev:1;) alert tcp $HOME_NET any -> [62.109.5.243] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203762; rev:1;) alert tcp $HOME_NET any -> [83.166.250.53] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203763; rev:1;) alert tcp $HOME_NET any -> [185.231.245.119] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203764; rev:1;) alert tcp $HOME_NET any -> [185.180.196.30] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203765; rev:1;) alert tcp $HOME_NET any -> [45.128.187.239] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203766; rev:1;) alert tcp $HOME_NET any -> [45.143.138.66] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203767; rev:1;) alert tcp $HOME_NET any -> [185.144.30.54] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203768; rev:1;) alert tcp $HOME_NET any -> [46.8.208.36] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203769; rev:1;) alert tcp $HOME_NET any -> [134.0.116.116] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203770; rev:1;) alert tcp $HOME_NET any -> [37.46.130.73] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203771; rev:1;) alert tcp $HOME_NET any -> [74.36.14.147] 54984 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203772; rev:1;) alert tcp $HOME_NET any -> [185.65.202.7] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203773; rev:1;) alert tcp $HOME_NET any -> [195.69.187.118] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203774; rev:1;) alert tcp $HOME_NET any -> [45.67.229.220] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203775; rev:1;) alert tcp $HOME_NET any -> [94.103.82.31] 443 (msg:"SSLBL: Traffic to malicious host (likely CobInt C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203776; rev:1;) alert tcp $HOME_NET any -> [91.121.235.6] 1515 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203777; rev:1;) alert tcp $HOME_NET any -> [194.5.97.59] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203778; rev:1;) alert tcp $HOME_NET any -> [185.140.53.6] 1819 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203779; rev:1;) alert tcp $HOME_NET any -> [45.143.138.69] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203780; rev:1;) alert tcp $HOME_NET any -> [83.166.245.47] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203781; rev:1;) alert tcp $HOME_NET any -> [91.214.119.30] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203782; rev:1;) alert tcp $HOME_NET any -> [79.134.225.12] 6036 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203783; rev:1;) alert tcp $HOME_NET any -> [176.32.32.62] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203784; rev:1;) alert tcp $HOME_NET any -> [185.117.155.48] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203785; rev:1;) alert tcp $HOME_NET any -> [176.32.33.203] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203786; rev:1;) alert tcp $HOME_NET any -> [46.29.163.145] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203787; rev:1;) alert tcp $HOME_NET any -> [185.244.30.222] 5200 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203788; rev:1;) alert tcp $HOME_NET any -> [194.61.1.178] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203789; rev:1;) alert tcp $HOME_NET any -> [46.29.161.246] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203790; rev:1;) alert tcp $HOME_NET any -> [95.217.19.128] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203791; rev:1;) alert tcp $HOME_NET any -> [149.154.159.226] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203792; rev:1;) alert tcp $HOME_NET any -> [46.29.161.3] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203793; rev:1;) alert tcp $HOME_NET any -> [185.61.154.7] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203794; rev:1;) alert tcp $HOME_NET any -> [79.134.225.47] 6234 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203795; rev:1;) alert tcp $HOME_NET any -> [83.166.242.144] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203796; rev:1;) alert tcp $HOME_NET any -> [91.224.22.60] 443 (msg:"SSLBL: Traffic to malicious host (likely FindPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203797; rev:1;) alert tcp $HOME_NET any -> [141.105.64.132] 1606 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203798; rev:1;) alert tcp $HOME_NET any -> [54.255.139.136] 80 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203799; rev:1;) alert tcp $HOME_NET any -> [84.54.187.24] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203800; rev:1;) alert tcp $HOME_NET any -> [89.35.29.52] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203801; rev:1;) alert tcp $HOME_NET any -> [119.31.127.51] 4444 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203802; rev:1;) alert tcp $HOME_NET any -> [79.134.225.114] 5040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203803; rev:1;) alert tcp $HOME_NET any -> [54.191.72.237] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203804; rev:1;) alert tcp $HOME_NET any -> [193.109.69.17] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203805; rev:1;) alert tcp $HOME_NET any -> [45.89.230.51] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203806; rev:1;) alert tcp $HOME_NET any -> [77.222.63.110] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203807; rev:1;) alert tcp $HOME_NET any -> [173.212.248.28] 8443 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203808; rev:1;) alert tcp $HOME_NET any -> [216.38.2.206] 5252 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203809; rev:1;) alert tcp $HOME_NET any -> [185.165.153.60] 4242 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203810; rev:1;) alert tcp $HOME_NET any -> [185.165.153.27] 44985 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203811; rev:1;) alert tcp $HOME_NET any -> [77.220.205.126] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203812; rev:1;) alert tcp $HOME_NET any -> [45.139.236.3] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203813; rev:1;) alert tcp $HOME_NET any -> [13.69.254.90] 77 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203814; rev:1;) alert tcp $HOME_NET any -> [185.147.15.21] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203815; rev:1;) alert tcp $HOME_NET any -> [185.130.104.152] 443 (msg:"SSLBL: Traffic to malicious host (likely Ostap C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203816; rev:1;) alert tcp $HOME_NET any -> [198.50.217.185] 1988 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203817; rev:1;) alert tcp $HOME_NET any -> [45.67.231.175] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203818; rev:1;) alert tcp $HOME_NET any -> [79.134.225.92] 4040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203819; rev:1;) alert tcp $HOME_NET any -> [173.249.23.208] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203820; rev:1;) alert tcp $HOME_NET any -> [185.174.172.99] 443 (msg:"SSLBL: Traffic to malicious host (likely FindPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203821; rev:1;) alert tcp $HOME_NET any -> [81.25.71.88] 443 (msg:"SSLBL: Traffic to malicious host (likely FindPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203822; rev:1;) alert tcp $HOME_NET any -> [185.140.53.135] 7654 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203823; rev:1;) alert tcp $HOME_NET any -> [176.227.191.12] 25530 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203824; rev:1;) alert tcp $HOME_NET any -> [2.91.161.144] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203825; rev:1;) alert tcp $HOME_NET any -> [5.61.40.237] 443 (msg:"SSLBL: Traffic to malicious host (likely Ostap C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203826; rev:1;) alert tcp $HOME_NET any -> [185.118.165.109] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203827; rev:1;) alert tcp $HOME_NET any -> [79.134.225.76] 5252 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203828; rev:1;) alert tcp $HOME_NET any -> [176.32.32.15] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203829; rev:1;) alert tcp $HOME_NET any -> [45.144.3.145] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203830; rev:1;) alert tcp $HOME_NET any -> [79.134.225.79] 204 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203831; rev:1;) alert tcp $HOME_NET any -> [51.77.225.5] 7575 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203832; rev:1;) alert tcp $HOME_NET any -> [85.217.171.222] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203833; rev:1;) alert tcp $HOME_NET any -> [37.252.10.127] 443 (msg:"SSLBL: Traffic to malicious host (likely Ostap C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203834; rev:1;) alert tcp $HOME_NET any -> [185.130.104.240] 443 (msg:"SSLBL: Traffic to malicious host (likely Ostap C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203835; rev:1;) alert tcp $HOME_NET any -> [46.29.164.66] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203836; rev:1;) alert tcp $HOME_NET any -> [95.110.224.103] 5147 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203837; rev:1;) alert tcp $HOME_NET any -> [83.220.175.116] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203838; rev:1;) alert tcp $HOME_NET any -> [91.218.65.24] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203839; rev:1;) alert tcp $HOME_NET any -> [193.29.15.147] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203840; rev:1;) alert tcp $HOME_NET any -> [190.1.237.120] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203841; rev:1;) alert tcp $HOME_NET any -> [185.113.141.120] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203842; rev:1;) alert tcp $HOME_NET any -> [195.228.41.2] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203843; rev:1;) alert tcp $HOME_NET any -> [37.75.61.8] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203844; rev:1;) alert tcp $HOME_NET any -> [94.103.82.67] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203845; rev:1;) alert tcp $HOME_NET any -> [185.140.53.78] 4811 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203846; rev:1;) alert tcp $HOME_NET any -> [51.83.18.78] 4358 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203847; rev:1;) alert tcp $HOME_NET any -> [93.189.149.187] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203848; rev:1;) alert tcp $HOME_NET any -> [185.165.153.199] 5954 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203849; rev:1;) alert tcp $HOME_NET any -> [185.140.53.90] 8585 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203850; rev:1;) alert tcp $HOME_NET any -> [185.165.153.175] 1994 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203851; rev:1;) alert tcp $HOME_NET any -> [213.208.152.216] 5954 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203852; rev:1;) alert tcp $HOME_NET any -> [45.144.2.210] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203853; rev:1;) alert tcp $HOME_NET any -> [185.157.245.59] 4430 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203854; rev:1;) alert tcp $HOME_NET any -> [185.165.153.75] 8585 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203855; rev:1;) alert tcp $HOME_NET any -> [5.188.108.58] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203856; rev:1;) alert tcp $HOME_NET any -> [138.201.6.195] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203857; rev:1;) alert tcp $HOME_NET any -> [194.67.86.241] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203858; rev:1;) alert tcp $HOME_NET any -> [85.143.219.95] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203859; rev:1;) alert tcp $HOME_NET any -> [47.111.114.5] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203860; rev:1;) alert tcp $HOME_NET any -> [194.58.123.243] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203861; rev:1;) alert tcp $HOME_NET any -> [91.77.167.80] 18000 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203862; rev:1;) alert tcp $HOME_NET any -> [45.128.186.79] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203863; rev:1;) alert tcp $HOME_NET any -> [79.134.225.71] 8808 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203864; rev:1;) alert tcp $HOME_NET any -> [79.134.225.71] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203865; rev:1;) alert tcp $HOME_NET any -> [91.230.60.107] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203866; rev:1;) alert tcp $HOME_NET any -> [185.253.219.43] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203867; rev:1;) alert tcp $HOME_NET any -> [51.77.225.5] 1960 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203868; rev:1;) alert tcp $HOME_NET any -> [84.38.129.162] 5555 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203869; rev:1;) alert tcp $HOME_NET any -> [188.72.115.200] 24007 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203870; rev:1;) alert tcp $HOME_NET any -> [185.118.66.254] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203871; rev:1;) alert tcp $HOME_NET any -> [90.96.187.205] 4430 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203872; rev:1;) alert tcp $HOME_NET any -> [195.133.146.24] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203873; rev:1;) alert tcp $HOME_NET any -> [185.165.153.150] 4922 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203874; rev:1;) alert tcp $HOME_NET any -> [45.144.2.212] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203875; rev:1;) alert tcp $HOME_NET any -> [95.213.139.105] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203876; rev:1;) alert tcp $HOME_NET any -> [178.124.140.136] 1819 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203877; rev:1;) alert tcp $HOME_NET any -> [185.140.53.193] 83 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203878; rev:1;) alert tcp $HOME_NET any -> [185.140.53.222] 79 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203879; rev:1;) alert tcp $HOME_NET any -> [95.213.195.71] 3999 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203880; rev:1;) alert tcp $HOME_NET any -> [45.147.200.57] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203881; rev:1;) alert tcp $HOME_NET any -> [45.142.214.21] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203882; rev:1;) alert tcp $HOME_NET any -> [185.156.177.132] 443 (msg:"SSLBL: Traffic to malicious host (likely TinyNuke C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203883; rev:1;) alert tcp $HOME_NET any -> [79.134.225.123] 3930 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203884; rev:1;) alert tcp $HOME_NET any -> [46.148.26.62] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203885; rev:1;) alert tcp $HOME_NET any -> [185.165.153.27] 32765 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203886; rev:1;) alert tcp $HOME_NET any -> [185.163.45.199] 3999 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203887; rev:1;) alert tcp $HOME_NET any -> [194.165.3.1] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203888; rev:1;) alert tcp $HOME_NET any -> [217.182.188.118] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203889; rev:1;) alert tcp $HOME_NET any -> [212.7.208.72] 5567 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203890; rev:1;) alert tcp $HOME_NET any -> [91.193.75.151] 2019 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203891; rev:1;) alert tcp $HOME_NET any -> [185.81.157.122] 5050 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203892; rev:1;) alert tcp $HOME_NET any -> [103.125.191.106] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203893; rev:1;) alert tcp $HOME_NET any -> [199.19.224.31] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203894; rev:1;) alert tcp $HOME_NET any -> [91.214.71.123] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203895; rev:1;) alert tcp $HOME_NET any -> [185.165.153.28] 20131 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203896; rev:1;) alert tcp $HOME_NET any -> [185.130.104.187] 443 (msg:"SSLBL: Traffic to malicious host (likely Ostap C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203897; rev:1;) alert tcp $HOME_NET any -> [79.134.225.104] 7562 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203898; rev:1;) alert tcp $HOME_NET any -> [185.165.153.150] 4145 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203899; rev:1;) alert tcp $HOME_NET any -> [81.25.71.28] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203900; rev:1;) alert tcp $HOME_NET any -> [210.123.126.60] 1002 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203901; rev:1;) alert tcp $HOME_NET any -> [79.134.225.118] 6778 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203902; rev:1;) alert tcp $HOME_NET any -> [185.159.82.18] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203903; rev:1;) alert tcp $HOME_NET any -> [195.69.187.132] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203904; rev:1;) alert tcp $HOME_NET any -> [79.134.225.119] 2256 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203905; rev:1;) alert tcp $HOME_NET any -> [79.134.225.104] 4430 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203906; rev:1;) alert tcp $HOME_NET any -> [79.134.225.86] 1818 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203907; rev:1;) alert tcp $HOME_NET any -> [79.134.225.83] 7272 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203908; rev:1;) alert tcp $HOME_NET any -> [83.166.246.250] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203909; rev:1;) alert tcp $HOME_NET any -> [45.129.2.78] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203910; rev:1;) alert tcp $HOME_NET any -> [193.56.28.57] 1944 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203911; rev:1;) alert tcp $HOME_NET any -> [185.163.47.214] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203912; rev:1;) alert tcp $HOME_NET any -> [45.140.169.100] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203913; rev:1;) alert tcp $HOME_NET any -> [46.17.47.148] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203914; rev:1;) alert tcp $HOME_NET any -> [77.222.55.71] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203915; rev:1;) alert tcp $HOME_NET any -> [185.222.202.74] 5760 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203916; rev:1;) alert tcp $HOME_NET any -> [194.5.98.211] 4145 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203917; rev:1;) alert tcp $HOME_NET any -> [185.163.47.199] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203918; rev:1;) alert tcp $HOME_NET any -> [79.134.225.95] 43 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203919; rev:1;) alert tcp $HOME_NET any -> [79.134.225.99] 4379 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203920; rev:1;) alert tcp $HOME_NET any -> [5.101.88.49] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203921; rev:1;) alert tcp $HOME_NET any -> [194.67.194.182] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203922; rev:1;) alert tcp $HOME_NET any -> [79.134.225.107] 4145 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203923; rev:1;) alert tcp $HOME_NET any -> [46.29.167.31] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203924; rev:1;) alert tcp $HOME_NET any -> [194.5.98.103] 8881 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203925; rev:1;) alert tcp $HOME_NET any -> [79.134.225.121] 7442 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203926; rev:1;) alert tcp $HOME_NET any -> [185.203.118.111] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203927; rev:1;) alert tcp $HOME_NET any -> [91.92.128.232] 1040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203928; rev:1;) alert tcp $HOME_NET any -> [185.177.59.229] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203929; rev:1;) alert tcp $HOME_NET any -> [93.170.76.85] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203930; rev:1;) alert tcp $HOME_NET any -> [45.140.168.68] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203931; rev:1;) alert tcp $HOME_NET any -> [185.36.81.60] 1474 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203932; rev:1;) alert tcp $HOME_NET any -> [185.227.82.51] 4070 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203933; rev:1;) alert tcp $HOME_NET any -> [185.163.45.111] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203934; rev:1;) alert tcp $HOME_NET any -> [82.146.39.206] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware.Nemty C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203935; rev:1;) alert tcp $HOME_NET any -> [178.63.132.28] 1634 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203936; rev:1;) alert tcp $HOME_NET any -> [194.5.98.151] 1994 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203937; rev:1;) alert tcp $HOME_NET any -> [89.223.100.18] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203938; rev:1;) alert tcp $HOME_NET any -> [185.193.141.251] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203939; rev:1;) alert tcp $HOME_NET any -> [92.53.71.99] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203940; rev:1;) alert tcp $HOME_NET any -> [46.21.253.86] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203941; rev:1;) alert tcp $HOME_NET any -> [85.143.218.8] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203942; rev:1;) alert tcp $HOME_NET any -> [85.217.171.167] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203943; rev:1;) alert tcp $HOME_NET any -> [2.57.89.47] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203944; rev:1;) alert tcp $HOME_NET any -> [46.249.62.203] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203945; rev:1;) alert tcp $HOME_NET any -> [45.132.19.146] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware.Nemty C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203946; rev:1;) alert tcp $HOME_NET any -> [151.80.241.113] 1717 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203947; rev:1;) alert tcp $HOME_NET any -> [79.134.225.95] 6460 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203948; rev:1;) alert tcp $HOME_NET any -> [193.0.61.106] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203949; rev:1;) alert tcp $HOME_NET any -> [185.253.218.26] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203950; rev:1;) alert tcp $HOME_NET any -> [192.99.211.205] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203951; rev:1;) alert tcp $HOME_NET any -> [172.94.88.81] 1780 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203952; rev:1;) alert tcp $HOME_NET any -> [94.103.94.180] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203953; rev:1;) alert tcp $HOME_NET any -> [91.203.5.180] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203954; rev:1;) alert tcp $HOME_NET any -> [195.19.192.51] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203955; rev:1;) alert tcp $HOME_NET any -> [79.134.225.11] 4782 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203956; rev:1;) alert tcp $HOME_NET any -> [185.105.236.161] 3939 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203957; rev:1;) alert tcp $HOME_NET any -> [154.83.15.174] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203958; rev:1;) alert tcp $HOME_NET any -> [104.248.149.132] 4789 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203959; rev:1;) alert tcp $HOME_NET any -> [173.212.204.171] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203960; rev:1;) alert tcp $HOME_NET any -> [194.5.98.46] 32765 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203961; rev:1;) alert tcp $HOME_NET any -> [84.38.129.30] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203962; rev:1;) alert tcp $HOME_NET any -> [89.249.65.168] 2025 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203963; rev:1;) alert tcp $HOME_NET any -> [85.217.171.52] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203964; rev:1;) alert tcp $HOME_NET any -> [31.41.44.65] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203965; rev:1;) alert tcp $HOME_NET any -> [37.48.92.195] 1218 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203966; rev:1;) alert tcp $HOME_NET any -> [185.36.81.51] 6008 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203967; rev:1;) alert tcp $HOME_NET any -> [89.249.65.210] 4050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203968; rev:1;) alert tcp $HOME_NET any -> [79.134.225.81] 2077 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203969; rev:1;) alert tcp $HOME_NET any -> [81.16.141.25] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203970; rev:1;) alert tcp $HOME_NET any -> [51.83.78.85] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203971; rev:1;) alert tcp $HOME_NET any -> [185.163.45.35] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203972; rev:1;) alert tcp $HOME_NET any -> [188.127.230.158] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203973; rev:1;) alert tcp $HOME_NET any -> [194.67.91.222] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203974; rev:1;) alert tcp $HOME_NET any -> [194.67.91.222] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203975; rev:1;) alert tcp $HOME_NET any -> [45.141.102.241] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203976; rev:1;) alert tcp $HOME_NET any -> [185.193.141.252] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203977; rev:1;) alert tcp $HOME_NET any -> [157.245.132.240] 8888 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203978; rev:1;) alert tcp $HOME_NET any -> [190.1.245.79] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203979; rev:1;) alert tcp $HOME_NET any -> [45.67.57.184] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203980; rev:1;) alert tcp $HOME_NET any -> [93.170.76.64] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203981; rev:1;) alert tcp $HOME_NET any -> [103.125.191.152] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203982; rev:1;) alert tcp $HOME_NET any -> [79.134.225.114] 5060 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203983; rev:1;) alert tcp $HOME_NET any -> [51.75.128.158] 60 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203984; rev:1;) alert tcp $HOME_NET any -> [79.134.225.70] 2323 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203985; rev:1;) alert tcp $HOME_NET any -> [194.87.103.158] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203986; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 31447 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203987; rev:1;) alert tcp $HOME_NET any -> [79.134.225.96] 5665 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203988; rev:1;) alert tcp $HOME_NET any -> [185.22.154.110] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203989; rev:1;) alert tcp $HOME_NET any -> [185.165.153.116] 7219 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203990; rev:1;) alert tcp $HOME_NET any -> [194.67.202.117] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203991; rev:1;) alert tcp $HOME_NET any -> [195.206.106.220] 1899 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203992; rev:1;) alert tcp $HOME_NET any -> [79.134.225.74] 3050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203993; rev:1;) alert tcp $HOME_NET any -> [85.143.221.32] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203994; rev:1;) alert tcp $HOME_NET any -> [185.203.116.78] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203995; rev:1;) alert tcp $HOME_NET any -> [5.135.67.231] 10134 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203996; rev:1;) alert tcp $HOME_NET any -> [188.120.229.38] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203997; rev:1;) alert tcp $HOME_NET any -> [134.119.177.108] 1717 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203998; rev:1;) alert tcp $HOME_NET any -> [46.29.165.244] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203999; rev:1;) alert tcp $HOME_NET any -> [119.29.177.237] 8088 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204000; rev:1;) alert tcp $HOME_NET any -> [195.133.1.208] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204001; rev:1;) alert tcp $HOME_NET any -> [194.67.78.102] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204002; rev:1;) alert tcp $HOME_NET any -> [109.196.164.75] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204003; rev:1;) alert tcp $HOME_NET any -> [93.190.93.175] 4040 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204004; rev:1;) alert tcp $HOME_NET any -> [185.193.141.59] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204005; rev:1;) alert tcp $HOME_NET any -> [46.249.59.116] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204006; rev:1;) alert tcp $HOME_NET any -> [79.134.225.90] 4782 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204007; rev:1;) alert tcp $HOME_NET any -> [107.182.187.115] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204008; rev:1;) alert tcp $HOME_NET any -> [85.143.216.198] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204009; rev:1;) alert tcp $HOME_NET any -> [85.143.223.34] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204010; rev:1;) alert tcp $HOME_NET any -> [192.3.204.165] 1414 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204011; rev:1;) alert tcp $HOME_NET any -> [180.245.57.42] 6606 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204012; rev:1;) alert tcp $HOME_NET any -> [194.87.238.60] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204013; rev:1;) alert tcp $HOME_NET any -> [62.173.145.225] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204014; rev:1;) alert tcp $HOME_NET any -> [46.29.167.164] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204015; rev:1;) alert tcp $HOME_NET any -> [194.5.98.76] 8881 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204016; rev:1;) alert tcp $HOME_NET any -> [172.82.128.243] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204017; rev:1;) alert tcp $HOME_NET any -> [79.134.225.71] 7390 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204018; rev:1;) alert tcp $HOME_NET any -> [194.5.98.88] 1994 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204019; rev:1;) alert tcp $HOME_NET any -> [109.234.39.136] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204020; rev:1;) alert tcp $HOME_NET any -> [80.78.240.45] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204021; rev:1;) alert tcp $HOME_NET any -> [185.205.210.48] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204022; rev:1;) alert tcp $HOME_NET any -> [45.129.2.205] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204023; rev:1;) alert tcp $HOME_NET any -> [176.113.82.144] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204024; rev:1;) alert tcp $HOME_NET any -> [45.128.204.95] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204025; rev:1;) alert tcp $HOME_NET any -> [85.143.223.150] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204026; rev:1;) alert tcp $HOME_NET any -> [149.154.71.176] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204027; rev:1;) alert tcp $HOME_NET any -> [79.134.225.115] 4404 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204028; rev:1;) alert tcp $HOME_NET any -> [85.143.217.217] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204029; rev:1;) alert tcp $HOME_NET any -> [45.141.103.221] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204030; rev:1;) alert tcp $HOME_NET any -> [141.255.156.100] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204031; rev:1;) alert tcp $HOME_NET any -> [159.246.29.124] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204032; rev:1;) alert tcp $HOME_NET any -> [185.31.160.32] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204033; rev:1;) alert tcp $HOME_NET any -> [85.143.218.97] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204034; rev:1;) alert tcp $HOME_NET any -> [194.67.222.131] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204035; rev:1;) alert tcp $HOME_NET any -> [194.67.78.6] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204036; rev:1;) alert tcp $HOME_NET any -> [194.67.78.6] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204037; rev:1;) alert tcp $HOME_NET any -> [194.58.108.187] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204038; rev:1;) alert tcp $HOME_NET any -> [194.58.108.187] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204039; rev:1;) alert tcp $HOME_NET any -> [82.146.57.135] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204040; rev:1;) alert tcp $HOME_NET any -> [185.31.160.250] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204041; rev:1;) alert tcp $HOME_NET any -> [62.173.140.58] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204042; rev:1;) alert tcp $HOME_NET any -> [195.128.126.234] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204043; rev:1;) alert tcp $HOME_NET any -> [89.108.64.177] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204044; rev:1;) alert tcp $HOME_NET any -> [185.173.178.175] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204045; rev:1;) alert tcp $HOME_NET any -> [23.105.131.169] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204046; rev:1;) alert tcp $HOME_NET any -> [79.134.225.72] 1819 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204047; rev:1;) alert tcp $HOME_NET any -> [79.134.225.11] 1199 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204048; rev:1;) alert tcp $HOME_NET any -> [62.109.17.122] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204049; rev:1;) alert tcp $HOME_NET any -> [185.225.17.154] 443 (msg:"SSLBL: Traffic to malicious host (likely Bolek C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204050; rev:1;) alert tcp $HOME_NET any -> [45.88.78.10] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204051; rev:1;) alert tcp $HOME_NET any -> [51.91.175.220] 4558 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204052; rev:1;) alert tcp $HOME_NET any -> [91.230.61.196] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204053; rev:1;) alert tcp $HOME_NET any -> [110.141.230.15] 10134 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204054; rev:1;) alert tcp $HOME_NET any -> [74.208.64.187] 3389 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204055; rev:1;) alert tcp $HOME_NET any -> [79.134.225.75] 1313 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204056; rev:1;) alert tcp $HOME_NET any -> [85.114.136.176] 4558 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204057; rev:1;) alert tcp $HOME_NET any -> [185.177.59.98] 1040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204058; rev:1;) alert tcp $HOME_NET any -> [212.109.218.122] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204059; rev:1;) alert tcp $HOME_NET any -> [185.41.161.200] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204060; rev:1;) alert tcp $HOME_NET any -> [85.143.216.250] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204061; rev:1;) alert tcp $HOME_NET any -> [193.37.213.33] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204062; rev:1;) alert tcp $HOME_NET any -> [74.124.24.29] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204063; rev:1;) alert tcp $HOME_NET any -> [193.124.117.45] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204064; rev:1;) alert tcp $HOME_NET any -> [185.94.191.37] 5201 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204065; rev:1;) alert tcp $HOME_NET any -> [85.143.216.89] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204066; rev:1;) alert tcp $HOME_NET any -> [195.133.147.138] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204067; rev:1;) alert tcp $HOME_NET any -> [184.164.139.213] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204068; rev:1;) alert tcp $HOME_NET any -> [46.29.167.113] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204069; rev:1;) alert tcp $HOME_NET any -> [179.60.144.143] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204070; rev:1;) alert tcp $HOME_NET any -> [185.244.31.119] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204071; rev:1;) alert tcp $HOME_NET any -> [185.157.161.147] 65301 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204072; rev:1;) alert tcp $HOME_NET any -> [185.244.31.92] 9341 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204073; rev:1;) alert tcp $HOME_NET any -> [91.92.128.188] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204074; rev:1;) alert tcp $HOME_NET any -> [109.234.34.133] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204075; rev:1;) alert tcp $HOME_NET any -> [185.205.210.163] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204076; rev:1;) alert tcp $HOME_NET any -> [185.193.141.166] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204077; rev:1;) alert tcp $HOME_NET any -> [5.253.61.186] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204078; rev:1;) alert tcp $HOME_NET any -> [89.108.65.150] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204079; rev:1;) alert tcp $HOME_NET any -> [194.67.209.128] 1029 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204080; rev:1;) alert tcp $HOME_NET any -> [5.39.218.206] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204081; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 44611 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204082; rev:1;) alert tcp $HOME_NET any -> [85.217.171.237] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204083; rev:1;) alert tcp $HOME_NET any -> [77.73.69.39] 443 (msg:"SSLBL: Traffic to malicious host (likely FindPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204084; rev:1;) alert tcp $HOME_NET any -> [185.163.45.199] 1780 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204085; rev:1;) alert tcp $HOME_NET any -> [185.163.45.63] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204086; rev:1;) alert tcp $HOME_NET any -> [66.154.102.118] 9412 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204087; rev:1;) alert tcp $HOME_NET any -> [77.83.174.121] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204088; rev:1;) alert tcp $HOME_NET any -> [185.205.210.60] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204089; rev:1;) alert tcp $HOME_NET any -> [185.205.210.60] 1040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204090; rev:1;) alert tcp $HOME_NET any -> [177.133.246.134] 9830 (msg:"SSLBL: Traffic to malicious host (likely njrat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204091; rev:1;) alert tcp $HOME_NET any -> [185.163.45.175] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204092; rev:1;) alert tcp $HOME_NET any -> [185.163.45.175] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204093; rev:1;) alert tcp $HOME_NET any -> [172.111.250.235] 6601 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204094; rev:1;) alert tcp $HOME_NET any -> [46.4.167.227] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204095; rev:1;) alert tcp $HOME_NET any -> [178.124.140.146] 9030 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204096; rev:1;) alert tcp $HOME_NET any -> [89.223.94.18] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204097; rev:1;) alert tcp $HOME_NET any -> [185.244.31.84] 9988 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204098; rev:1;) alert tcp $HOME_NET any -> [178.156.202.242] 2050 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204099; rev:1;) alert tcp $HOME_NET any -> [3.14.212.173] 10836 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204100; rev:1;) alert tcp $HOME_NET any -> [185.203.117.118] 1020 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204101; rev:1;) alert tcp $HOME_NET any -> [93.170.76.77] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204102; rev:1;) alert tcp $HOME_NET any -> [94.158.245.123] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204103; rev:1;) alert tcp $HOME_NET any -> [82.146.34.237] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204104; rev:1;) alert tcp $HOME_NET any -> [31.220.43.160] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204105; rev:1;) alert tcp $HOME_NET any -> [5.252.178.9] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204106; rev:1;) alert tcp $HOME_NET any -> [185.165.153.161] 6776 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204107; rev:1;) alert tcp $HOME_NET any -> [46.249.59.119] 443 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204108; rev:1;) alert tcp $HOME_NET any -> [79.134.225.121] 9992 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204109; rev:1;) alert tcp $HOME_NET any -> [94.156.35.241] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204110; rev:1;) alert tcp $HOME_NET any -> [104.168.197.211] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204111; rev:1;) alert tcp $HOME_NET any -> [45.61.49.107] 2444 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204112; rev:1;) alert tcp $HOME_NET any -> [185.159.129.138] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204113; rev:1;) alert tcp $HOME_NET any -> [185.51.247.169] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204114; rev:1;) alert tcp $HOME_NET any -> [185.165.153.4] 1997 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204115; rev:1;) alert tcp $HOME_NET any -> [185.165.153.145] 2016 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204116; rev:1;) alert tcp $HOME_NET any -> [46.21.153.72] 1506 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204117; rev:1;) alert tcp $HOME_NET any -> [197.255.225.249] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204118; rev:1;) alert tcp $HOME_NET any -> [188.227.212.233] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204119; rev:1;) alert tcp $HOME_NET any -> [185.203.118.180] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204120; rev:1;) alert tcp $HOME_NET any -> [81.16.141.28] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204121; rev:1;) alert tcp $HOME_NET any -> [213.208.152.205] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204122; rev:1;) alert tcp $HOME_NET any -> [185.61.138.206] 25565 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204123; rev:1;) alert tcp $HOME_NET any -> [37.75.34.239] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204124; rev:1;) alert tcp $HOME_NET any -> [176.227.191.12] 1337 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204125; rev:1;) alert tcp $HOME_NET any -> [177.133.239.37] 6606 (msg:"SSLBL: Traffic to malicious host (likely njrat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204126; rev:1;) alert tcp $HOME_NET any -> [91.148.141.76] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204127; rev:1;) alert tcp $HOME_NET any -> [185.225.17.169] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204128; rev:1;) alert tcp $HOME_NET any -> [93.170.76.177] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204129; rev:1;) alert tcp $HOME_NET any -> [192.99.135.121] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204130; rev:1;) alert tcp $HOME_NET any -> [109.185.156.241] 5555 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204131; rev:1;) alert tcp $HOME_NET any -> [213.188.152.96] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204132; rev:1;) alert tcp $HOME_NET any -> [91.132.139.145] 5020 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204133; rev:1;) alert tcp $HOME_NET any -> [72.44.80.19] 443 (msg:"SSLBL: Traffic to malicious host (likely FindPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204134; rev:1;) alert tcp $HOME_NET any -> [194.147.34.103] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204135; rev:1;) alert tcp $HOME_NET any -> [161.129.67.135] 6722 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204136; rev:1;) alert tcp $HOME_NET any -> [189.47.95.154] 3570 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204137; rev:1;) alert tcp $HOME_NET any -> [51.75.17.4] 10135 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204138; rev:1;) alert tcp $HOME_NET any -> [78.138.107.12] 7779 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204139; rev:1;) alert tcp $HOME_NET any -> [46.17.46.71] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204140; rev:1;) alert tcp $HOME_NET any -> [185.244.29.219] 58030 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204141; rev:1;) alert tcp $HOME_NET any -> [185.247.228.24] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204142; rev:1;) alert tcp $HOME_NET any -> [103.87.48.66] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204143; rev:1;) alert tcp $HOME_NET any -> [185.217.1.185] 911 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204144; rev:1;) alert tcp $HOME_NET any -> [45.74.1.12] 1155 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204145; rev:1;) alert tcp $HOME_NET any -> [185.247.228.191] 5954 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204146; rev:1;) alert tcp $HOME_NET any -> [45.227.255.117] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204147; rev:1;) alert tcp $HOME_NET any -> [94.158.245.154] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204148; rev:1;) alert tcp $HOME_NET any -> [138.121.24.78] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204149; rev:1;) alert tcp $HOME_NET any -> [185.205.209.96] 1040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204150; rev:1;) alert tcp $HOME_NET any -> [185.222.57.157] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204151; rev:1;) alert tcp $HOME_NET any -> [185.247.228.69] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204152; rev:1;) alert tcp $HOME_NET any -> [200.171.231.146] 3570 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204153; rev:1;) alert tcp $HOME_NET any -> [185.217.1.151] 9030 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204154; rev:1;) alert tcp $HOME_NET any -> [168.227.229.112] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204155; rev:1;) alert tcp $HOME_NET any -> [193.56.28.172] 1944 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204156; rev:1;) alert tcp $HOME_NET any -> [51.75.154.197] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204157; rev:1;) alert tcp $HOME_NET any -> [185.247.228.177] 6776 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204158; rev:1;) alert tcp $HOME_NET any -> [64.44.42.148] 1604 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204159; rev:1;) alert tcp $HOME_NET any -> [185.247.228.53] 8057 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204160; rev:1;) alert tcp $HOME_NET any -> [178.239.21.5] 1313 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204161; rev:1;) alert tcp $HOME_NET any -> [131.0.142.120] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204162; rev:1;) alert tcp $HOME_NET any -> [185.186.244.99] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204163; rev:1;) alert tcp $HOME_NET any -> [185.247.228.128] 2016 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204164; rev:1;) alert tcp $HOME_NET any -> [177.8.172.86] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204165; rev:1;) alert tcp $HOME_NET any -> [181.115.168.69] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204166; rev:1;) alert tcp $HOME_NET any -> [45.89.230.243] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204167; rev:1;) alert tcp $HOME_NET any -> [187.74.75.191] 3570 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204168; rev:1;) alert tcp $HOME_NET any -> [180.250.197.188] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204169; rev:1;) alert tcp $HOME_NET any -> [177.76.22.91] 3570 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204170; rev:1;) alert tcp $HOME_NET any -> [201.0.106.138] 3570 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204171; rev:1;) alert tcp $HOME_NET any -> [188.215.229.215] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204172; rev:1;) alert tcp $HOME_NET any -> [46.17.40.81] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204173; rev:1;) alert tcp $HOME_NET any -> [46.17.40.254] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204174; rev:1;) alert tcp $HOME_NET any -> [154.16.93.179] 2019 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204175; rev:1;) alert tcp $HOME_NET any -> [179.180.17.194] 9830 (msg:"SSLBL: Traffic to malicious host (likely njrat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204176; rev:1;) alert tcp $HOME_NET any -> [91.193.75.22] 1604 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204177; rev:1;) alert tcp $HOME_NET any -> [95.211.214.43] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204178; rev:1;) alert tcp $HOME_NET any -> [175.126.82.55] 8888 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204179; rev:1;) alert tcp $HOME_NET any -> [46.17.40.59] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204180; rev:1;) alert tcp $HOME_NET any -> [185.247.228.18] 8787 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204181; rev:1;) alert tcp $HOME_NET any -> [5.39.119.175] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204182; rev:1;) alert tcp $HOME_NET any -> [91.218.65.24] 1337 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204183; rev:1;) alert tcp $HOME_NET any -> [89.223.90.229] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204184; rev:1;) alert tcp $HOME_NET any -> [194.165.3.28] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204185; rev:1;) alert tcp $HOME_NET any -> [94.158.245.4] 1780 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204186; rev:1;) alert tcp $HOME_NET any -> [185.247.228.28] 587 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204187; rev:1;) alert tcp $HOME_NET any -> [54.38.127.22] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204188; rev:1;) alert tcp $HOME_NET any -> [134.119.180.105] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204189; rev:1;) alert tcp $HOME_NET any -> [141.255.166.157] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204190; rev:1;) alert tcp $HOME_NET any -> [93.170.76.57] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204191; rev:1;) alert tcp $HOME_NET any -> [190.13.160.19] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204192; rev:1;) alert tcp $HOME_NET any -> [185.247.228.69] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204193; rev:1;) alert tcp $HOME_NET any -> [185.193.141.65] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204194; rev:1;) alert tcp $HOME_NET any -> [185.247.228.31] 1313 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204195; rev:1;) alert tcp $HOME_NET any -> [67.253.236.155] 111 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204196; rev:1;) alert tcp $HOME_NET any -> [46.17.44.67] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204197; rev:1;) alert tcp $HOME_NET any -> [93.90.193.189] 9341 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204198; rev:1;) alert tcp $HOME_NET any -> [185.225.17.150] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204199; rev:1;) alert tcp $HOME_NET any -> [93.170.76.89] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204200; rev:1;) alert tcp $HOME_NET any -> [94.130.156.219] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204201; rev:1;) alert tcp $HOME_NET any -> [64.44.42.201] 6677 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204202; rev:1;) alert tcp $HOME_NET any -> [188.209.52.219] 25565 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204203; rev:1;) alert tcp $HOME_NET any -> [62.109.24.227] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204204; rev:1;) alert tcp $HOME_NET any -> [93.189.149.176] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204205; rev:1;) alert tcp $HOME_NET any -> [185.247.228.16] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204206; rev:1;) alert tcp $HOME_NET any -> [187.110.100.122] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204207; rev:1;) alert tcp $HOME_NET any -> [211.47.153.128] 1002 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204208; rev:1;) alert tcp $HOME_NET any -> [5.188.60.74] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204209; rev:1;) alert tcp $HOME_NET any -> [176.227.191.12] 2002 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204210; rev:1;) alert tcp $HOME_NET any -> [81.177.6.162] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204211; rev:1;) alert tcp $HOME_NET any -> [185.205.209.2] 1020 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204212; rev:1;) alert tcp $HOME_NET any -> [178.239.21.45] 9030 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204213; rev:1;) alert tcp $HOME_NET any -> [185.205.209.2] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204214; rev:1;) alert tcp $HOME_NET any -> [31.214.157.78] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204215; rev:1;) alert tcp $HOME_NET any -> [185.217.1.190] 1337 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204216; rev:1;) alert tcp $HOME_NET any -> [23.81.246.143] 1013 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204217; rev:1;) alert tcp $HOME_NET any -> [177.183.194.194] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204218; rev:1;) alert tcp $HOME_NET any -> [185.244.31.62] 5780 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204219; rev:1;) alert tcp $HOME_NET any -> [91.193.75.130] 7075 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204220; rev:1;) alert tcp $HOME_NET any -> [186.183.199.114] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204221; rev:1;) alert tcp $HOME_NET any -> [178.239.21.21] 9298 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204222; rev:1;) alert tcp $HOME_NET any -> [95.167.151.233] 9030 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204223; rev:1;) alert tcp $HOME_NET any -> [186.138.152.228] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204224; rev:1;) alert tcp $HOME_NET any -> [200.35.56.81] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204225; rev:1;) alert tcp $HOME_NET any -> [93.170.76.123] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204226; rev:1;) alert tcp $HOME_NET any -> [103.74.91.27] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204227; rev:1;) alert tcp $HOME_NET any -> [91.193.75.77] 7272 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204228; rev:1;) alert tcp $HOME_NET any -> [91.193.75.135] 5954 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204229; rev:1;) alert tcp $HOME_NET any -> [213.208.129.205] 5500 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204230; rev:1;) alert tcp $HOME_NET any -> [194.5.98.25] 8856 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204231; rev:1;) alert tcp $HOME_NET any -> [31.214.157.249] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204232; rev:1;) alert tcp $HOME_NET any -> [79.9.88.117] 5147 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204233; rev:1;) alert tcp $HOME_NET any -> [185.203.117.3] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204234; rev:1;) alert tcp $HOME_NET any -> [213.208.129.195] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204235; rev:1;) alert tcp $HOME_NET any -> [134.209.78.214] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204236; rev:1;) alert tcp $HOME_NET any -> [91.193.75.61] 6343 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204237; rev:1;) alert tcp $HOME_NET any -> [185.244.31.90] 4132 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204238; rev:1;) alert tcp $HOME_NET any -> [85.117.234.10] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204239; rev:1;) alert tcp $HOME_NET any -> [181.129.49.98] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204240; rev:1;) alert tcp $HOME_NET any -> [181.129.140.140] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204241; rev:1;) alert tcp $HOME_NET any -> [147.135.60.142] 4030 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204242; rev:1;) alert tcp $HOME_NET any -> [109.236.80.32] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204243; rev:1;) alert tcp $HOME_NET any -> [186.42.226.46] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204244; rev:1;) alert tcp $HOME_NET any -> [181.112.145.222] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204245; rev:1;) alert tcp $HOME_NET any -> [185.244.31.43] 2016 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204246; rev:1;) alert tcp $HOME_NET any -> [147.135.60.142] 4000 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204247; rev:1;) alert tcp $HOME_NET any -> [181.196.61.110] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204248; rev:1;) alert tcp $HOME_NET any -> [177.52.79.29] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204249; rev:1;) alert tcp $HOME_NET any -> [66.70.164.168] 5954 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204250; rev:1;) alert tcp $HOME_NET any -> [91.193.75.85] 4545 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204251; rev:1;) alert tcp $HOME_NET any -> [200.110.72.134] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204252; rev:1;) alert tcp $HOME_NET any -> [185.244.29.19] 22209 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204253; rev:1;) alert tcp $HOME_NET any -> [93.170.76.18] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204254; rev:1;) alert tcp $HOME_NET any -> [5.206.226.46] 4749 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204255; rev:1;) alert tcp $HOME_NET any -> [109.236.80.32] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204256; rev:1;) alert tcp $HOME_NET any -> [185.247.228.23] 5543 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204257; rev:1;) alert tcp $HOME_NET any -> [177.52.28.238] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204258; rev:1;) alert tcp $HOME_NET any -> [91.193.75.234] 6177 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204259; rev:1;) alert tcp $HOME_NET any -> [185.141.61.192] 1507 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204260; rev:1;) alert tcp $HOME_NET any -> [185.228.234.41] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204261; rev:1;) alert tcp $HOME_NET any -> [186.248.163.198] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204262; rev:1;) alert tcp $HOME_NET any -> [45.74.1.41] 1155 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204263; rev:1;) alert tcp $HOME_NET any -> [91.193.75.138] 5195 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204264; rev:1;) alert tcp $HOME_NET any -> [200.107.59.130] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204265; rev:1;) alert tcp $HOME_NET any -> [181.112.221.246] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204266; rev:1;) alert tcp $HOME_NET any -> [186.42.186.202] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204267; rev:1;) alert tcp $HOME_NET any -> [187.8.169.10] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204268; rev:1;) alert tcp $HOME_NET any -> [187.95.123.179] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204269; rev:1;) alert tcp $HOME_NET any -> [151.106.0.80] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204270; rev:1;) alert tcp $HOME_NET any -> [41.231.120.141] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204271; rev:1;) alert tcp $HOME_NET any -> [138.186.62.222] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204272; rev:1;) alert tcp $HOME_NET any -> [41.231.120.136] 15290 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204273; rev:1;) alert tcp $HOME_NET any -> [187.65.49.88] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204274; rev:1;) alert tcp $HOME_NET any -> [191.242.178.210] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204275; rev:1;) alert tcp $HOME_NET any -> [158.69.144.70] 6343 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204276; rev:1;) alert tcp $HOME_NET any -> [185.244.31.230] 2094 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204277; rev:1;) alert tcp $HOME_NET any -> [191.241.233.195] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204278; rev:1;) alert tcp $HOME_NET any -> [41.231.120.140] 2233 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204279; rev:1;) alert tcp $HOME_NET any -> [91.192.100.47] 7795 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204280; rev:1;) alert tcp $HOME_NET any -> [161.129.65.104] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204281; rev:1;) alert tcp $HOME_NET any -> [45.74.1.201] 1155 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204282; rev:1;) alert tcp $HOME_NET any -> [193.161.193.99] 38786 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204283; rev:1;) alert tcp $HOME_NET any -> [185.143.145.90] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204284; rev:1;) alert tcp $HOME_NET any -> [185.62.189.186] 4749 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204285; rev:1;) alert tcp $HOME_NET any -> [91.192.100.27] 1985 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204286; rev:1;) alert tcp $HOME_NET any -> [109.248.222.98] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204287; rev:1;) alert tcp $HOME_NET any -> [185.164.72.234] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204288; rev:1;) alert tcp $HOME_NET any -> [185.244.31.157] 9002 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204289; rev:1;) alert tcp $HOME_NET any -> [185.244.31.160] 7075 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204290; rev:1;) alert tcp $HOME_NET any -> [185.236.203.170] 4020 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204291; rev:1;) alert tcp $HOME_NET any -> [62.108.37.6] 5252 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204292; rev:1;) alert tcp $HOME_NET any -> [91.192.100.46] 4545 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204293; rev:1;) alert tcp $HOME_NET any -> [79.180.33.229] 1604 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204294; rev:1;) alert tcp $HOME_NET any -> [195.69.187.86] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204295; rev:1;) alert tcp $HOME_NET any -> [46.17.40.153] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204296; rev:1;) alert tcp $HOME_NET any -> [161.129.66.19] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204297; rev:1;) alert tcp $HOME_NET any -> [185.62.188.109] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204298; rev:1;) alert tcp $HOME_NET any -> [202.95.13.9] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204299; rev:1;) alert tcp $HOME_NET any -> [40.89.157.54] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204300; rev:1;) alert tcp $HOME_NET any -> [109.248.222.237] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204301; rev:1;) alert tcp $HOME_NET any -> [109.230.199.24] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204302; rev:1;) alert tcp $HOME_NET any -> [185.163.45.48] 3290 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204303; rev:1;) alert tcp $HOME_NET any -> [91.193.75.110] 4125 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204304; rev:1;) alert tcp $HOME_NET any -> [185.163.45.48] 7795 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204305; rev:1;) alert tcp $HOME_NET any -> [190.196.32.42] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204306; rev:1;) alert tcp $HOME_NET any -> [188.120.226.212] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204307; rev:1;) alert tcp $HOME_NET any -> [185.247.228.109] 4132 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204308; rev:1;) alert tcp $HOME_NET any -> [185.165.153.187] 2250 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204309; rev:1;) alert tcp $HOME_NET any -> [185.103.110.32] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204310; rev:1;) alert tcp $HOME_NET any -> [91.192.100.27] 5567 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204311; rev:1;) alert tcp $HOME_NET any -> [93.170.129.78] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204312; rev:1;) alert tcp $HOME_NET any -> [185.165.153.184] 2019 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204313; rev:1;) alert tcp $HOME_NET any -> [181.129.20.250] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204314; rev:1;) alert tcp $HOME_NET any -> [46.232.113.9] 443 (msg:"SSLBL: Traffic to malicious host (likely RaccoonStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204315; rev:1;) alert tcp $HOME_NET any -> [190.151.10.114] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204316; rev:1;) alert tcp $HOME_NET any -> [181.115.236.26] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204317; rev:1;) alert tcp $HOME_NET any -> [186.159.2.153] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204318; rev:1;) alert tcp $HOME_NET any -> [185.198.57.70] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204319; rev:1;) alert tcp $HOME_NET any -> [143.255.141.137] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204320; rev:1;) alert tcp $HOME_NET any -> [177.105.237.93] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204321; rev:1;) alert tcp $HOME_NET any -> [190.117.66.194] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204322; rev:1;) alert tcp $HOME_NET any -> [181.176.191.5] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204323; rev:1;) alert tcp $HOME_NET any -> [178.57.218.162] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204324; rev:1;) alert tcp $HOME_NET any -> [176.32.35.55] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204325; rev:1;) alert tcp $HOME_NET any -> [88.119.179.177] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204326; rev:1;) alert tcp $HOME_NET any -> [80.173.224.81] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204327; rev:1;) alert tcp $HOME_NET any -> [185.247.228.41] 2016 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204328; rev:1;) alert tcp $HOME_NET any -> [209.45.30.2] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204329; rev:1;) alert tcp $HOME_NET any -> [194.147.35.95] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204330; rev:1;) alert tcp $HOME_NET any -> [185.22.154.67] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204331; rev:1;) alert tcp $HOME_NET any -> [178.239.21.27] 3242 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204332; rev:1;) alert tcp $HOME_NET any -> [185.74.255.161] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204333; rev:1;) alert tcp $HOME_NET any -> [181.48.203.10] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204334; rev:1;) alert tcp $HOME_NET any -> [46.17.43.107] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204335; rev:1;) alert tcp $HOME_NET any -> [46.17.45.229] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204336; rev:1;) alert tcp $HOME_NET any -> [185.247.228.25] 1123 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204337; rev:1;) alert tcp $HOME_NET any -> [186.226.188.105] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204338; rev:1;) alert tcp $HOME_NET any -> [190.0.20.114] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204339; rev:1;) alert tcp $HOME_NET any -> [190.109.165.197] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204340; rev:1;) alert tcp $HOME_NET any -> [200.54.14.61] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204341; rev:1;) alert tcp $HOME_NET any -> [181.143.102.30] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204342; rev:1;) alert tcp $HOME_NET any -> [201.184.69.50] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204343; rev:1;) alert tcp $HOME_NET any -> [181.143.17.66] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204344; rev:1;) alert tcp $HOME_NET any -> [89.105.195.213] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204345; rev:1;) alert tcp $HOME_NET any -> [185.165.153.193] 4545 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204346; rev:1;) alert tcp $HOME_NET any -> [45.32.84.150] 8080 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204347; rev:1;) alert tcp $HOME_NET any -> [82.62.44.126] 6315 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204348; rev:1;) alert tcp $HOME_NET any -> [185.206.146.146] 1030 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204349; rev:1;) alert tcp $HOME_NET any -> [185.205.209.99] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204350; rev:1;) alert tcp $HOME_NET any -> [41.231.120.132] 4125 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204351; rev:1;) alert tcp $HOME_NET any -> [185.165.153.66] 1989 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204352; rev:1;) alert tcp $HOME_NET any -> [93.170.76.132] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204353; rev:1;) alert tcp $HOME_NET any -> [185.66.9.114] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204354; rev:1;) alert tcp $HOME_NET any -> [185.247.228.46] 1604 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204355; rev:1;) alert tcp $HOME_NET any -> [185.165.153.22] 22112 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204356; rev:1;) alert tcp $HOME_NET any -> [51.255.130.130] 2808 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204357; rev:1;) alert tcp $HOME_NET any -> [79.1.42.72] 5147 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204358; rev:1;) alert tcp $HOME_NET any -> [85.119.144.126] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204359; rev:1;) alert tcp $HOME_NET any -> [77.222.60.127] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204360; rev:1;) alert tcp $HOME_NET any -> [194.28.84.254] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204361; rev:1;) alert tcp $HOME_NET any -> [91.192.100.39] 1921 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204362; rev:1;) alert tcp $HOME_NET any -> [194.68.59.55] 45201 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204363; rev:1;) alert tcp $HOME_NET any -> [91.192.100.6] 34022 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204364; rev:1;) alert tcp $HOME_NET any -> [46.183.223.12] 8785 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204365; rev:1;) alert tcp $HOME_NET any -> [46.17.45.108] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204366; rev:1;) alert tcp $HOME_NET any -> [185.181.209.76] 1991 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204367; rev:1;) alert tcp $HOME_NET any -> [185.156.173.122] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204368; rev:1;) alert tcp $HOME_NET any -> [178.239.21.6] 9298 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204369; rev:1;) alert tcp $HOME_NET any -> [185.136.168.134] 7776 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204370; rev:1;) alert tcp $HOME_NET any -> [188.209.52.68] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204371; rev:1;) alert tcp $HOME_NET any -> [185.136.168.134] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204372; rev:1;) alert tcp $HOME_NET any -> [185.101.94.172] 2564 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204373; rev:1;) alert tcp $HOME_NET any -> [185.139.70.61] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204374; rev:1;) alert tcp $HOME_NET any -> [199.195.250.222] 6679 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204375; rev:1;) alert tcp $HOME_NET any -> [91.192.100.46] 6654 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204376; rev:1;) alert tcp $HOME_NET any -> [185.189.149.215] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204377; rev:1;) alert tcp $HOME_NET any -> [103.114.107.151] 8089 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204378; rev:1;) alert tcp $HOME_NET any -> [91.230.61.178] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204379; rev:1;) alert tcp $HOME_NET any -> [194.5.97.184] 2556 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204380; rev:1;) alert tcp $HOME_NET any -> [204.16.247.226] 419 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204381; rev:1;) alert tcp $HOME_NET any -> [91.192.100.38] 7075 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204382; rev:1;) alert tcp $HOME_NET any -> [91.192.100.14] 1971 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204383; rev:1;) alert tcp $HOME_NET any -> [31.220.43.154] 8080 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204384; rev:1;) alert tcp $HOME_NET any -> [5.8.88.205] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204385; rev:1;) alert tcp $HOME_NET any -> [194.147.35.118] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204386; rev:1;) alert tcp $HOME_NET any -> [46.17.43.238] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204387; rev:1;) alert tcp $HOME_NET any -> [194.147.35.219] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204388; rev:1;) alert tcp $HOME_NET any -> [185.4.29.236] 9221 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204389; rev:1;) alert tcp $HOME_NET any -> [185.206.146.146] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204390; rev:1;) alert tcp $HOME_NET any -> [89.223.94.88] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204391; rev:1;) alert tcp $HOME_NET any -> [194.5.98.141] 6679 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204392; rev:1;) alert tcp $HOME_NET any -> [194.5.97.241] 8057 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204393; rev:1;) alert tcp $HOME_NET any -> [176.227.191.12] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204394; rev:1;) alert tcp $HOME_NET any -> [31.171.152.99] 9298 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204395; rev:1;) alert tcp $HOME_NET any -> [197.46.21.48] 7777 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204396; rev:1;) alert tcp $HOME_NET any -> [185.219.82.83] 5555 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204397; rev:1;) alert tcp $HOME_NET any -> [71.207.206.178] 7532 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204398; rev:1;) alert tcp $HOME_NET any -> [85.143.218.50] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204399; rev:1;) alert tcp $HOME_NET any -> [185.17.121.185] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204400; rev:1;) alert tcp $HOME_NET any -> [195.123.245.142] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204401; rev:1;) alert tcp $HOME_NET any -> [46.17.41.97] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204402; rev:1;) alert tcp $HOME_NET any -> [192.162.244.126] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204403; rev:1;) alert tcp $HOME_NET any -> [194.5.98.180] 6565 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204404; rev:1;) alert tcp $HOME_NET any -> [89.223.88.195] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204405; rev:1;) alert tcp $HOME_NET any -> [51.15.21.149] 60 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204406; rev:1;) alert tcp $HOME_NET any -> [185.101.94.172] 6679 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204407; rev:1;) alert tcp $HOME_NET any -> [194.147.35.218] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204408; rev:1;) alert tcp $HOME_NET any -> [177.226.176.13] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204409; rev:1;) alert tcp $HOME_NET any -> [194.5.97.16] 2212 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204410; rev:1;) alert tcp $HOME_NET any -> [194.5.97.58] 2077 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204411; rev:1;) alert tcp $HOME_NET any -> [89.223.25.193] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204412; rev:1;) alert tcp $HOME_NET any -> [46.17.45.219] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204413; rev:1;) alert tcp $HOME_NET any -> [91.192.100.39] 6778 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204414; rev:1;) alert tcp $HOME_NET any -> [185.244.29.9] 3478 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204415; rev:1;) alert tcp $HOME_NET any -> [91.192.100.48] 5954 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204416; rev:1;) alert tcp $HOME_NET any -> [144.217.89.128] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204417; rev:1;) alert tcp $HOME_NET any -> [185.244.29.31] 1880 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204418; rev:1;) alert tcp $HOME_NET any -> [178.239.21.40] 1999 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204419; rev:1;) alert tcp $HOME_NET any -> [192.3.24.248] 3478 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204420; rev:1;) alert tcp $HOME_NET any -> [31.171.152.105] 3602 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204421; rev:1;) alert tcp $HOME_NET any -> [209.97.179.217] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204422; rev:1;) alert tcp $HOME_NET any -> [91.192.100.8] 9298 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204423; rev:1;) alert tcp $HOME_NET any -> [194.5.98.250] 2256 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204424; rev:1;) alert tcp $HOME_NET any -> [93.189.149.131] 443 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204425; rev:1;) alert tcp $HOME_NET any -> [193.187.173.214] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204426; rev:1;) alert tcp $HOME_NET any -> [185.244.29.184] 1989 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204427; rev:1;) alert tcp $HOME_NET any -> [85.59.129.120] 6666 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204428; rev:1;) alert tcp $HOME_NET any -> [178.239.21.143] 9801 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204429; rev:1;) alert tcp $HOME_NET any -> [185.244.29.161] 1985 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204430; rev:1;) alert tcp $HOME_NET any -> [185.165.153.119] 6868 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204431; rev:1;) alert tcp $HOME_NET any -> [52.142.166.69] 1337 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204432; rev:1;) alert tcp $HOME_NET any -> [95.213.251.165] 5954 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204433; rev:1;) alert tcp $HOME_NET any -> [95.169.31.41] 53 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204434; rev:1;) alert tcp $HOME_NET any -> [185.244.29.52] 8511 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204435; rev:1;) alert tcp $HOME_NET any -> [185.158.251.52] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204436; rev:1;) alert tcp $HOME_NET any -> [194.5.97.210] 3012 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204437; rev:1;) alert tcp $HOME_NET any -> [194.5.98.16] 5551 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204438; rev:1;) alert tcp $HOME_NET any -> [194.147.34.218] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204439; rev:1;) alert tcp $HOME_NET any -> [185.158.249.17] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204440; rev:1;) alert tcp $HOME_NET any -> [185.48.56.231] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204441; rev:1;) alert tcp $HOME_NET any -> [54.37.240.237] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204442; rev:1;) alert tcp $HOME_NET any -> [84.38.129.48] 3021 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204443; rev:1;) alert tcp $HOME_NET any -> [194.5.97.5] 8484 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204444; rev:1;) alert tcp $HOME_NET any -> [91.192.100.6] 12201 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204445; rev:1;) alert tcp $HOME_NET any -> [194.5.98.58] 4435 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204446; rev:1;) alert tcp $HOME_NET any -> [185.179.188.245] 4782 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204447; rev:1;) alert tcp $HOME_NET any -> [91.192.100.47] 8332 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204448; rev:1;) alert tcp $HOME_NET any -> [178.239.21.242] 5050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204449; rev:1;) alert tcp $HOME_NET any -> [194.147.32.15] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204450; rev:1;) alert tcp $HOME_NET any -> [46.29.166.84] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204451; rev:1;) alert tcp $HOME_NET any -> [46.17.42.235] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204452; rev:1;) alert tcp $HOME_NET any -> [185.81.157.43] 1604 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204453; rev:1;) alert tcp $HOME_NET any -> [173.46.85.73] 2556 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204454; rev:1;) alert tcp $HOME_NET any -> [173.46.85.19] 9298 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204455; rev:1;) alert tcp $HOME_NET any -> [194.5.98.58] 7075 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204456; rev:1;) alert tcp $HOME_NET any -> [195.123.246.141] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204457; rev:1;) alert tcp $HOME_NET any -> [194.147.32.148] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204458; rev:1;) alert tcp $HOME_NET any -> [46.29.167.189] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204459; rev:1;) alert tcp $HOME_NET any -> [185.207.205.134] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204460; rev:1;) alert tcp $HOME_NET any -> [194.5.98.172] 7788 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204461; rev:1;) alert tcp $HOME_NET any -> [194.76.224.30] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204462; rev:1;) alert tcp $HOME_NET any -> [194.5.97.215] 8074 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204463; rev:1;) alert tcp $HOME_NET any -> [185.211.48.20] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204464; rev:1;) alert tcp $HOME_NET any -> [5.135.43.178] 4000 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204465; rev:1;) alert tcp $HOME_NET any -> [46.183.218.124] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204466; rev:1;) alert tcp $HOME_NET any -> [185.165.153.93] 76 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204467; rev:1;) alert tcp $HOME_NET any -> [178.239.21.167] 92 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204468; rev:1;) alert tcp $HOME_NET any -> [194.5.99.195] 5244 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204469; rev:1;) alert tcp $HOME_NET any -> [91.192.100.28] 7766 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204470; rev:1;) alert tcp $HOME_NET any -> [91.192.100.39] 7272 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204471; rev:1;) alert tcp $HOME_NET any -> [194.5.99.71] 5244 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204472; rev:1;) alert tcp $HOME_NET any -> [192.152.0.71] 3021 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204473; rev:1;) alert tcp $HOME_NET any -> [13.53.94.89] 25565 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204474; rev:1;) alert tcp $HOME_NET any -> [162.244.32.136] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204475; rev:1;) alert tcp $HOME_NET any -> [89.105.198.18] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204476; rev:1;) alert tcp $HOME_NET any -> [212.114.52.181] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204477; rev:1;) alert tcp $HOME_NET any -> [178.239.21.118] 4675 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204478; rev:1;) alert tcp $HOME_NET any -> [54.37.191.17] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204479; rev:1;) alert tcp $HOME_NET any -> [77.72.135.237] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204480; rev:1;) alert tcp $HOME_NET any -> [192.152.0.87] 7799 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204481; rev:1;) alert tcp $HOME_NET any -> [5.188.231.136] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204482; rev:1;) alert tcp $HOME_NET any -> [31.171.152.101] 4548 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204483; rev:1;) alert tcp $HOME_NET any -> [31.171.152.107] 1071 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204484; rev:1;) alert tcp $HOME_NET any -> [109.94.209.127] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204485; rev:1;) alert tcp $HOME_NET any -> [109.248.147.173] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204486; rev:1;) alert tcp $HOME_NET any -> [194.147.32.6] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204487; rev:1;) alert tcp $HOME_NET any -> [194.147.34.181] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204488; rev:1;) alert tcp $HOME_NET any -> [178.239.21.105] 1955 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204489; rev:1;) alert tcp $HOME_NET any -> [62.76.46.221] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204490; rev:1;) alert tcp $HOME_NET any -> [146.120.110.93] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204491; rev:1;) alert tcp $HOME_NET any -> [89.223.91.148] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204492; rev:1;) alert tcp $HOME_NET any -> [46.17.44.165] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204493; rev:1;) alert tcp $HOME_NET any -> [194.147.34.186] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204494; rev:1;) alert tcp $HOME_NET any -> [46.17.40.215] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204495; rev:1;) alert tcp $HOME_NET any -> [89.223.91.7] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204496; rev:1;) alert tcp $HOME_NET any -> [144.202.59.44] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204497; rev:1;) alert tcp $HOME_NET any -> [151.106.60.147] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204498; rev:1;) alert tcp $HOME_NET any -> [185.158.251.178] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204499; rev:1;) alert tcp $HOME_NET any -> [178.239.21.196] 2021 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204500; rev:1;) alert tcp $HOME_NET any -> [46.173.214.56] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204501; rev:1;) alert tcp $HOME_NET any -> [185.173.92.61] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204502; rev:1;) alert tcp $HOME_NET any -> [3.121.182.157] 1604 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204503; rev:1;) alert tcp $HOME_NET any -> [185.255.91.82] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204504; rev:1;) alert tcp $HOME_NET any -> [188.127.239.51] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204505; rev:1;) alert tcp $HOME_NET any -> [185.228.234.105] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204506; rev:1;) alert tcp $HOME_NET any -> [185.165.153.199] 18 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204507; rev:1;) alert tcp $HOME_NET any -> [185.136.168.203] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204508; rev:1;) alert tcp $HOME_NET any -> [103.1.184.108] 33444 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204509; rev:1;) alert tcp $HOME_NET any -> [46.17.41.12] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204510; rev:1;) alert tcp $HOME_NET any -> [178.239.21.122] 2525 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204511; rev:1;) alert tcp $HOME_NET any -> [213.152.161.15] 21483 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204512; rev:1;) alert tcp $HOME_NET any -> [212.114.52.169] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204513; rev:1;) alert tcp $HOME_NET any -> [195.123.245.201] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204514; rev:1;) alert tcp $HOME_NET any -> [185.246.116.239] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204515; rev:1;) alert tcp $HOME_NET any -> [46.17.44.145] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204516; rev:1;) alert tcp $HOME_NET any -> [46.173.214.83] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204517; rev:1;) alert tcp $HOME_NET any -> [46.17.41.15] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204518; rev:1;) alert tcp $HOME_NET any -> [173.46.85.207] 7134 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204519; rev:1;) alert tcp $HOME_NET any -> [173.46.85.126] 5954 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204520; rev:1;) alert tcp $HOME_NET any -> [46.17.45.170] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204521; rev:1;) alert tcp $HOME_NET any -> [185.244.29.70] 1989 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204522; rev:1;) alert tcp $HOME_NET any -> [185.86.150.235] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204523; rev:1;) alert tcp $HOME_NET any -> [195.54.162.197] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204524; rev:1;) alert tcp $HOME_NET any -> [89.238.181.106] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204525; rev:1;) alert tcp $HOME_NET any -> [45.35.190.6] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204526; rev:1;) alert tcp $HOME_NET any -> [185.236.203.181] 4040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204527; rev:1;) alert tcp $HOME_NET any -> [185.165.153.106] 5888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204528; rev:1;) alert tcp $HOME_NET any -> [185.22.154.191] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204529; rev:1;) alert tcp $HOME_NET any -> [103.63.2.238] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204530; rev:1;) alert tcp $HOME_NET any -> [89.223.28.225] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204531; rev:1;) alert tcp $HOME_NET any -> [89.223.28.167] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204532; rev:1;) alert tcp $HOME_NET any -> [185.86.148.251] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204533; rev:1;) alert tcp $HOME_NET any -> [46.148.26.88] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204534; rev:1;) alert tcp $HOME_NET any -> [185.206.145.100] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204535; rev:1;) alert tcp $HOME_NET any -> [178.239.21.163] 6190 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204536; rev:1;) alert tcp $HOME_NET any -> [185.236.203.142] 1717 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204537; rev:1;) alert tcp $HOME_NET any -> [91.192.100.14] 1130 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204538; rev:1;) alert tcp $HOME_NET any -> [31.171.152.99] 4040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204539; rev:1;) alert tcp $HOME_NET any -> [31.171.152.107] 1966 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204540; rev:1;) alert tcp $HOME_NET any -> [185.165.153.34] 7210 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204541; rev:1;) alert tcp $HOME_NET any -> [209.58.186.245] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204542; rev:1;) alert tcp $HOME_NET any -> [108.170.60.189] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204543; rev:1;) alert tcp $HOME_NET any -> [185.77.129.11] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204544; rev:1;) alert tcp $HOME_NET any -> [185.244.30.113] 6649 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204545; rev:1;) alert tcp $HOME_NET any -> [82.199.134.139] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204546; rev:1;) alert tcp $HOME_NET any -> [185.244.30.120] 1130 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204547; rev:1;) alert tcp $HOME_NET any -> [5.206.225.115] 5000 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204548; rev:1;) alert tcp $HOME_NET any -> [185.158.248.92] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204549; rev:1;) alert tcp $HOME_NET any -> [54.38.146.43] 8888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204550; rev:1;) alert tcp $HOME_NET any -> [5.2.64.188] 5299 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204551; rev:1;) alert tcp $HOME_NET any -> [185.212.47.103] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204552; rev:1;) alert tcp $HOME_NET any -> [83.166.245.213] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204553; rev:1;) alert tcp $HOME_NET any -> [194.76.225.59] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204554; rev:1;) alert tcp $HOME_NET any -> [194.5.98.193] 8008 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204555; rev:1;) alert tcp $HOME_NET any -> [5.2.67.66] 5299 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204556; rev:1;) alert tcp $HOME_NET any -> [95.213.251.165] 1900 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204557; rev:1;) alert tcp $HOME_NET any -> [181.215.47.171] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204558; rev:1;) alert tcp $HOME_NET any -> [173.46.85.68] 2016 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204559; rev:1;) alert tcp $HOME_NET any -> [194.5.98.56] 5532 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204560; rev:1;) alert tcp $HOME_NET any -> [194.5.99.158] 7210 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204561; rev:1;) alert tcp $HOME_NET any -> [46.17.47.216] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204562; rev:1;) alert tcp $HOME_NET any -> [37.59.134.55] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204563; rev:1;) alert tcp $HOME_NET any -> [173.46.85.234] 7578 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204564; rev:1;) alert tcp $HOME_NET any -> [5.8.88.125] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204565; rev:1;) alert tcp $HOME_NET any -> [173.46.85.19] 1996 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204566; rev:1;) alert tcp $HOME_NET any -> [194.5.99.136] 6229 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204567; rev:1;) alert tcp $HOME_NET any -> [185.205.210.139] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204568; rev:1;) alert tcp $HOME_NET any -> [185.236.203.60] 6767 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204569; rev:1;) alert tcp $HOME_NET any -> [185.158.251.60] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204570; rev:1;) alert tcp $HOME_NET any -> [194.5.98.194] 5090 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204571; rev:1;) alert tcp $HOME_NET any -> [173.46.85.161] 3040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204572; rev:1;) alert tcp $HOME_NET any -> [185.156.174.115] 19741 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204573; rev:1;) alert tcp $HOME_NET any -> [185.125.205.91] 2888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204574; rev:1;) alert tcp $HOME_NET any -> [185.174.173.128] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204575; rev:1;) alert tcp $HOME_NET any -> [178.239.21.106] 8899 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204576; rev:1;) alert tcp $HOME_NET any -> [194.5.99.2] 1995 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204577; rev:1;) alert tcp $HOME_NET any -> [185.244.30.114] 5007 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204578; rev:1;) alert tcp $HOME_NET any -> [185.125.205.73] 2889 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204579; rev:1;) alert tcp $HOME_NET any -> [193.29.56.44] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204580; rev:1;) alert tcp $HOME_NET any -> [45.55.36.231] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204581; rev:1;) alert tcp $HOME_NET any -> [194.5.99.7] 9000 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204582; rev:1;) alert tcp $HOME_NET any -> [194.5.98.104] 7075 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204583; rev:1;) alert tcp $HOME_NET any -> [31.171.152.103] 5011 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204584; rev:1;) alert tcp $HOME_NET any -> [109.230.199.169] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204585; rev:1;) alert tcp $HOME_NET any -> [87.236.22.142] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204586; rev:1;) alert tcp $HOME_NET any -> [144.76.215.117] 5050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204587; rev:1;) alert tcp $HOME_NET any -> [194.5.98.56] 5542 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204588; rev:1;) alert tcp $HOME_NET any -> [91.192.100.52] 2225 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204589; rev:1;) alert tcp $HOME_NET any -> [194.5.99.226] 1785 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204590; rev:1;) alert tcp $HOME_NET any -> [140.82.48.224] 3040 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204591; rev:1;) alert tcp $HOME_NET any -> [173.46.85.98] 20982 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204592; rev:1;) alert tcp $HOME_NET any -> [185.244.30.114] 8891 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204593; rev:1;) alert tcp $HOME_NET any -> [45.249.90.124] 7322 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204594; rev:1;) alert tcp $HOME_NET any -> [194.5.98.38] 8899 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204595; rev:1;) alert tcp $HOME_NET any -> [185.125.205.75] 4040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204596; rev:1;) alert tcp $HOME_NET any -> [31.7.188.40] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204597; rev:1;) alert tcp $HOME_NET any -> [185.203.118.6] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204598; rev:1;) alert tcp $HOME_NET any -> [185.141.62.213] 1020 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204599; rev:1;) alert tcp $HOME_NET any -> [194.5.99.207] 2888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204600; rev:1;) alert tcp $HOME_NET any -> [194.5.99.159] 2121 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204601; rev:1;) alert tcp $HOME_NET any -> [173.46.85.60] 3030 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204602; rev:1;) alert tcp $HOME_NET any -> [195.123.227.20] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204603; rev:1;) alert tcp $HOME_NET any -> [92.222.10.99] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204604; rev:1;) alert tcp $HOME_NET any -> [185.244.30.114] 92 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204605; rev:1;) alert tcp $HOME_NET any -> [185.244.30.105] 5689 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204606; rev:1;) alert tcp $HOME_NET any -> [94.103.83.137] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204607; rev:1;) alert tcp $HOME_NET any -> [185.125.205.69] 5843 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204608; rev:1;) alert tcp $HOME_NET any -> [194.5.98.56] 7742 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204609; rev:1;) alert tcp $HOME_NET any -> [181.129.171.34] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204610; rev:1;) alert tcp $HOME_NET any -> [173.46.85.60] 2040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204611; rev:1;) alert tcp $HOME_NET any -> [91.192.100.16] 5738 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204612; rev:1;) alert tcp $HOME_NET any -> [81.177.141.211] 443 (msg:"SSLBL: Traffic to malicious host (likely PredatorStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204613; rev:1;) alert tcp $HOME_NET any -> [194.99.20.254] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204614; rev:1;) alert tcp $HOME_NET any -> [195.123.245.90] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204615; rev:1;) alert tcp $HOME_NET any -> [185.202.174.91] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204616; rev:1;) alert tcp $HOME_NET any -> [181.215.247.164] 1973 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204617; rev:1;) alert tcp $HOME_NET any -> [91.192.100.40] 5290 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204618; rev:1;) alert tcp $HOME_NET any -> [46.166.173.109] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204619; rev:1;) alert tcp $HOME_NET any -> [185.244.30.101] 1985 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204620; rev:1;) alert tcp $HOME_NET any -> [185.244.30.106] 7799 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204621; rev:1;) alert tcp $HOME_NET any -> [68.183.249.84] 3040 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204622; rev:1;) alert tcp $HOME_NET any -> [185.244.30.109] 5552 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204623; rev:1;) alert tcp $HOME_NET any -> [185.22.65.5] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204624; rev:1;) alert tcp $HOME_NET any -> [185.244.30.109] 7742 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204625; rev:1;) alert tcp $HOME_NET any -> [185.244.30.113] 7328 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204626; rev:1;) alert tcp $HOME_NET any -> [194.5.98.226] 1994 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204627; rev:1;) alert tcp $HOME_NET any -> [173.46.85.71] 4379 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204628; rev:1;) alert tcp $HOME_NET any -> [94.185.86.56] 4000 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204629; rev:1;) alert tcp $HOME_NET any -> [54.37.86.44] 443 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204630; rev:1;) alert tcp $HOME_NET any -> [18.221.114.76] 1515 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204631; rev:1;) alert tcp $HOME_NET any -> [178.162.132.90] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204632; rev:1;) alert tcp $HOME_NET any -> [78.155.220.198] 443 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204633; rev:1;) alert tcp $HOME_NET any -> [138.197.148.53] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204634; rev:1;) alert tcp $HOME_NET any -> [181.129.146.34] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204635; rev:1;) alert tcp $HOME_NET any -> [185.236.203.53] 443 (msg:"SSLBL: Traffic to malicious host (likely Zebrocy C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204636; rev:1;) alert tcp $HOME_NET any -> [212.73.150.215] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204637; rev:1;) alert tcp $HOME_NET any -> [185.158.249.233] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204638; rev:1;) alert tcp $HOME_NET any -> [194.5.98.139] 9030 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204639; rev:1;) alert tcp $HOME_NET any -> [192.99.212.140] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204640; rev:1;) alert tcp $HOME_NET any -> [199.21.106.189] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204641; rev:1;) alert tcp $HOME_NET any -> [185.244.30.93] 9888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204642; rev:1;) alert tcp $HOME_NET any -> [162.244.32.180] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware distribution traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204643; rev:1;) alert tcp $HOME_NET any -> [213.152.161.138] 55314 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204644; rev:1;) alert tcp $HOME_NET any -> [194.5.99.67] 2888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204645; rev:1;) alert tcp $HOME_NET any -> [85.217.170.62] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204646; rev:1;) alert tcp $HOME_NET any -> [82.199.134.156] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204647; rev:1;) alert tcp $HOME_NET any -> [185.125.205.79] 8511 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204648; rev:1;) alert tcp $HOME_NET any -> [173.46.85.205] 8074 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204649; rev:1;) alert tcp $HOME_NET any -> [31.171.152.107] 4389 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204650; rev:1;) alert tcp $HOME_NET any -> [91.192.100.48] 1990 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204651; rev:1;) alert tcp $HOME_NET any -> [91.192.100.27] 7219 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204652; rev:1;) alert tcp $HOME_NET any -> [46.17.45.29] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204653; rev:1;) alert tcp $HOME_NET any -> [136.25.2.43] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204654; rev:1;) alert tcp $HOME_NET any -> [95.47.161.68] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204655; rev:1;) alert tcp $HOME_NET any -> [192.227.248.175] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204656; rev:1;) alert tcp $HOME_NET any -> [91.192.100.44] 2888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204657; rev:1;) alert tcp $HOME_NET any -> [103.89.88.88] 8898 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204658; rev:1;) alert tcp $HOME_NET any -> [46.183.223.10] 7650 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204659; rev:1;) alert tcp $HOME_NET any -> [185.244.30.121] 4379 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204660; rev:1;) alert tcp $HOME_NET any -> [68.111.123.100] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204661; rev:1;) alert tcp $HOME_NET any -> [81.177.180.174] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204662; rev:1;) alert tcp $HOME_NET any -> [194.5.99.250] 683 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204663; rev:1;) alert tcp $HOME_NET any -> [194.5.99.97] 683 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204664; rev:1;) alert tcp $HOME_NET any -> [194.5.98.148] 8057 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204665; rev:1;) alert tcp $HOME_NET any -> [31.171.152.105] 2888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204666; rev:1;) alert tcp $HOME_NET any -> [194.5.99.59] 8899 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204667; rev:1;) alert tcp $HOME_NET any -> [195.123.245.214] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204668; rev:1;) alert tcp $HOME_NET any -> [173.46.85.22] 5000 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204669; rev:1;) alert tcp $HOME_NET any -> [185.125.205.78] 8088 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204670; rev:1;) alert tcp $HOME_NET any -> [185.189.149.187] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204671; rev:1;) alert tcp $HOME_NET any -> [181.129.93.226] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204672; rev:1;) alert tcp $HOME_NET any -> [179.43.176.148] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204673; rev:1;) alert tcp $HOME_NET any -> [212.47.194.15] 8898 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204674; rev:1;) alert tcp $HOME_NET any -> [195.123.212.149] 4000 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204675; rev:1;) alert tcp $HOME_NET any -> [173.254.223.115] 3333 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204676; rev:1;) alert tcp $HOME_NET any -> [185.231.153.46] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204677; rev:1;) alert tcp $HOME_NET any -> [195.123.213.169] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204678; rev:1;) alert tcp $HOME_NET any -> [137.74.131.18] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204679; rev:1;) alert tcp $HOME_NET any -> [185.127.27.238] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204680; rev:1;) alert tcp $HOME_NET any -> [93.115.26.171] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204681; rev:1;) alert tcp $HOME_NET any -> [35.198.61.54] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204682; rev:1;) alert tcp $HOME_NET any -> [194.68.225.63] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204683; rev:1;) alert tcp $HOME_NET any -> [94.237.44.31] 2525 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204684; rev:1;) alert tcp $HOME_NET any -> [194.5.99.119] 2077 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204685; rev:1;) alert tcp $HOME_NET any -> [31.171.152.103] 7075 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204686; rev:1;) alert tcp $HOME_NET any -> [109.230.199.159] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204687; rev:1;) alert tcp $HOME_NET any -> [109.230.199.30] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204688; rev:1;) alert tcp $HOME_NET any -> [185.181.165.20] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204689; rev:1;) alert tcp $HOME_NET any -> [103.249.88.244] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204690; rev:1;) alert tcp $HOME_NET any -> [185.244.30.109] 5532 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204691; rev:1;) alert tcp $HOME_NET any -> [37.10.71.110] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204692; rev:1;) alert tcp $HOME_NET any -> [208.79.106.86] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204693; rev:1;) alert tcp $HOME_NET any -> [31.171.152.106] 1313 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204694; rev:1;) alert tcp $HOME_NET any -> [91.192.100.15] 7274 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204695; rev:1;) alert tcp $HOME_NET any -> [194.5.99.63] 2556 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204696; rev:1;) alert tcp $HOME_NET any -> [144.217.242.133] 10135 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204697; rev:1;) alert tcp $HOME_NET any -> [216.27.121.122] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204698; rev:1;) alert tcp $HOME_NET any -> [95.213.251.165] 1990 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204699; rev:1;) alert tcp $HOME_NET any -> [173.46.85.97] 7462 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204700; rev:1;) alert tcp $HOME_NET any -> [178.33.137.136] 65535 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204701; rev:1;) alert tcp $HOME_NET any -> [91.192.100.3] 3545 (msg:"SSLBL: Traffic to malicious host (likely NetWire C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204702; rev:1;) alert tcp $HOME_NET any -> [24.247.182.240] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204703; rev:1;) alert tcp $HOME_NET any -> [185.244.30.111] 7063 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204704; rev:1;) alert tcp $HOME_NET any -> [185.158.248.90] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204705; rev:1;) alert tcp $HOME_NET any -> [173.46.85.98] 2888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204706; rev:1;) alert tcp $HOME_NET any -> [23.231.4.19] 443 (msg:"SSLBL: Traffic to malicious host (likely Loki C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204707; rev:1;) alert tcp $HOME_NET any -> [104.18.34.162] 443 (msg:"SSLBL: Traffic to malicious host (likely Smoke Loader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204708; rev:1;) alert tcp $HOME_NET any -> [194.165.3.3] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204709; rev:1;) alert tcp $HOME_NET any -> [51.38.133.245] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204710; rev:1;) alert tcp $HOME_NET any -> [194.5.99.58] 1409 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204711; rev:1;) alert tcp $HOME_NET any -> [170.247.3.218] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204712; rev:1;) alert tcp $HOME_NET any -> [187.61.108.254] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204713; rev:1;) alert tcp $HOME_NET any -> [94.130.40.150] 5858 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204714; rev:1;) alert tcp $HOME_NET any -> [194.5.99.85] 5099 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204715; rev:1;) alert tcp $HOME_NET any -> [173.46.85.86] 4435 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204716; rev:1;) alert tcp $HOME_NET any -> [185.148.241.57] 2049 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204717; rev:1;) alert tcp $HOME_NET any -> [104.148.109.229] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204718; rev:1;) alert tcp $HOME_NET any -> [185.244.30.109] 5542 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204719; rev:1;) alert tcp $HOME_NET any -> [181.209.88.26] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204720; rev:1;) alert tcp $HOME_NET any -> [187.19.17.132] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204721; rev:1;) alert tcp $HOME_NET any -> [185.125.205.68] 1918 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204722; rev:1;) alert tcp $HOME_NET any -> [194.5.99.117] 6040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204723; rev:1;) alert tcp $HOME_NET any -> [205.237.44.244] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204724; rev:1;) alert tcp $HOME_NET any -> [181.215.247.224] 9620 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204725; rev:1;) alert tcp $HOME_NET any -> [208.73.200.123] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204726; rev:1;) alert tcp $HOME_NET any -> [170.79.176.242] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204727; rev:1;) alert tcp $HOME_NET any -> [193.37.213.27] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204728; rev:1;) alert tcp $HOME_NET any -> [186.147.161.204] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204729; rev:1;) alert tcp $HOME_NET any -> [186.167.66.51] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204730; rev:1;) alert tcp $HOME_NET any -> [194.76.224.11] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204731; rev:1;) alert tcp $HOME_NET any -> [54.180.98.118] 1081 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204732; rev:1;) alert tcp $HOME_NET any -> [45.225.65.178] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204733; rev:1;) alert tcp $HOME_NET any -> [58.84.34.214] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204734; rev:1;) alert tcp $HOME_NET any -> [213.32.93.218] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204735; rev:1;) alert tcp $HOME_NET any -> [103.1.184.108] 54984 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204736; rev:1;) alert tcp $HOME_NET any -> [193.56.28.161] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204737; rev:1;) alert tcp $HOME_NET any -> [31.171.152.106] 2522 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204738; rev:1;) alert tcp $HOME_NET any -> [94.237.28.110] 3737 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204739; rev:1;) alert tcp $HOME_NET any -> [176.119.158.39] 1604 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204740; rev:1;) alert tcp $HOME_NET any -> [185.158.249.138] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204741; rev:1;) alert tcp $HOME_NET any -> [94.156.189.60] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204742; rev:1;) alert tcp $HOME_NET any -> [185.158.251.13] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204743; rev:1;) alert tcp $HOME_NET any -> [200.116.76.159] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204744; rev:1;) alert tcp $HOME_NET any -> [205.201.36.227] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204745; rev:1;) alert tcp $HOME_NET any -> [125.209.82.158] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204746; rev:1;) alert tcp $HOME_NET any -> [95.168.176.160] 5525 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204747; rev:1;) alert tcp $HOME_NET any -> [76.107.90.235] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204748; rev:1;) alert tcp $HOME_NET any -> [94.156.144.197] 5525 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204749; rev:1;) alert tcp $HOME_NET any -> [185.189.149.144] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204750; rev:1;) alert tcp $HOME_NET any -> [51.75.162.41] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204751; rev:1;) alert tcp $HOME_NET any -> [147.135.165.107] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204752; rev:1;) alert tcp $HOME_NET any -> [72.226.102.151] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204753; rev:1;) alert tcp $HOME_NET any -> [47.44.54.70] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204754; rev:1;) alert tcp $HOME_NET any -> [110.164.69.92] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204755; rev:1;) alert tcp $HOME_NET any -> [201.251.18.28] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204756; rev:1;) alert tcp $HOME_NET any -> [185.189.149.252] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204757; rev:1;) alert tcp $HOME_NET any -> [202.63.242.48] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204758; rev:1;) alert tcp $HOME_NET any -> [98.226.192.30] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204759; rev:1;) alert tcp $HOME_NET any -> [173.46.85.168] 4545 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204760; rev:1;) alert tcp $HOME_NET any -> [96.9.90.104] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204761; rev:1;) alert tcp $HOME_NET any -> [47.224.98.123] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204762; rev:1;) alert tcp $HOME_NET any -> [185.148.241.61] 7219 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204763; rev:1;) alert tcp $HOME_NET any -> [185.244.30.124] 8074 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204764; rev:1;) alert tcp $HOME_NET any -> [178.162.132.83] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204765; rev:1;) alert tcp $HOME_NET any -> [66.64.20.194] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204766; rev:1;) alert tcp $HOME_NET any -> [73.115.58.90] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204767; rev:1;) alert tcp $HOME_NET any -> [103.235.176.174] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204768; rev:1;) alert tcp $HOME_NET any -> [173.46.85.197] 4040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204769; rev:1;) alert tcp $HOME_NET any -> [188.215.229.26] 3388 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204770; rev:1;) alert tcp $HOME_NET any -> [89.36.223.163] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204771; rev:1;) alert tcp $HOME_NET any -> [194.5.99.175] 2112 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204772; rev:1;) alert tcp $HOME_NET any -> [24.217.193.43] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204773; rev:1;) alert tcp $HOME_NET any -> [24.217.192.131] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204774; rev:1;) alert tcp $HOME_NET any -> [160.20.147.219] 1000 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204775; rev:1;) alert tcp $HOME_NET any -> [24.247.182.253] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204776; rev:1;) alert tcp $HOME_NET any -> [24.247.182.156] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204777; rev:1;) alert tcp $HOME_NET any -> [46.29.167.62] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204778; rev:1;) alert tcp $HOME_NET any -> [108.174.120.172] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204779; rev:1;) alert tcp $HOME_NET any -> [37.252.5.139] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204780; rev:1;) alert tcp $HOME_NET any -> [190.109.178.222] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204781; rev:1;) alert tcp $HOME_NET any -> [85.143.219.81] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204782; rev:1;) alert tcp $HOME_NET any -> [45.161.216.57] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204783; rev:1;) alert tcp $HOME_NET any -> [177.104.252.32] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204784; rev:1;) alert tcp $HOME_NET any -> [204.14.154.126] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204785; rev:1;) alert tcp $HOME_NET any -> [73.2.223.45] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204786; rev:1;) alert tcp $HOME_NET any -> [97.87.175.152] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204787; rev:1;) alert tcp $HOME_NET any -> [24.217.49.92] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204788; rev:1;) alert tcp $HOME_NET any -> [185.86.150.77] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204789; rev:1;) alert tcp $HOME_NET any -> [185.61.148.31] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204790; rev:1;) alert tcp $HOME_NET any -> [185.148.241.41] 7119 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204791; rev:1;) alert tcp $HOME_NET any -> [62.76.74.249] 13337 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204792; rev:1;) alert tcp $HOME_NET any -> [63.135.55.17] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204793; rev:1;) alert tcp $HOME_NET any -> [45.6.127.2] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204794; rev:1;) alert tcp $HOME_NET any -> [24.247.182.169] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204795; rev:1;) alert tcp $HOME_NET any -> [104.255.182.45] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204796; rev:1;) alert tcp $HOME_NET any -> [68.119.85.138] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204797; rev:1;) alert tcp $HOME_NET any -> [62.173.138.139] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204798; rev:1;) alert tcp $HOME_NET any -> [23.111.148.130] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204799; rev:1;) alert tcp $HOME_NET any -> [185.223.163.26] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204800; rev:1;) alert tcp $HOME_NET any -> [89.223.94.178] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204801; rev:1;) alert tcp $HOME_NET any -> [185.101.94.40] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204802; rev:1;) alert tcp $HOME_NET any -> [179.43.183.150] 3003 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204803; rev:1;) alert tcp $HOME_NET any -> [179.43.183.150] 3004 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204804; rev:1;) alert tcp $HOME_NET any -> [195.69.187.56] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204805; rev:1;) alert tcp $HOME_NET any -> [104.223.76.206] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204806; rev:1;) alert tcp $HOME_NET any -> [213.183.58.39] 8280 (msg:"SSLBL: Traffic to malicious host (likely Meterpreter C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204807; rev:1;) alert tcp $HOME_NET any -> [46.166.161.186] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204808; rev:1;) alert tcp $HOME_NET any -> [185.158.251.101] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204809; rev:1;) alert tcp $HOME_NET any -> [24.247.182.159] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204810; rev:1;) alert tcp $HOME_NET any -> [24.247.182.179] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204811; rev:1;) alert tcp $HOME_NET any -> [185.101.105.128] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204812; rev:1;) alert tcp $HOME_NET any -> [188.120.236.10] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204813; rev:1;) alert tcp $HOME_NET any -> [37.59.160.146] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204814; rev:1;) alert tcp $HOME_NET any -> [185.66.9.143] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204815; rev:1;) alert tcp $HOME_NET any -> [109.234.38.226] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204816; rev:1;) alert tcp $HOME_NET any -> [31.148.219.200] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204817; rev:1;) alert tcp $HOME_NET any -> [192.162.244.23] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204818; rev:1;) alert tcp $HOME_NET any -> [94.140.125.29] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204819; rev:1;) alert tcp $HOME_NET any -> [185.174.173.140] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204820; rev:1;) alert tcp $HOME_NET any -> [46.29.160.188] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204821; rev:1;) alert tcp $HOME_NET any -> [213.183.63.183] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204822; rev:1;) alert tcp $HOME_NET any -> [24.247.182.225] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204823; rev:1;) alert tcp $HOME_NET any -> [82.146.56.170] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204824; rev:1;) alert tcp $HOME_NET any -> [185.125.205.77] 7524 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204825; rev:1;) alert tcp $HOME_NET any -> [179.43.156.59] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204826; rev:1;) alert tcp $HOME_NET any -> [185.203.118.163] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204827; rev:1;) alert tcp $HOME_NET any -> [91.201.65.114] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204828; rev:1;) alert tcp $HOME_NET any -> [185.22.172.180] 5051 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204829; rev:1;) alert tcp $HOME_NET any -> [24.247.182.29] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204830; rev:1;) alert tcp $HOME_NET any -> [24.247.182.174] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204831; rev:1;) alert tcp $HOME_NET any -> [174.34.253.11] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204832; rev:1;) alert tcp $HOME_NET any -> [178.21.8.42] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204833; rev:1;) alert tcp $HOME_NET any -> [24.247.182.39] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204834; rev:1;) alert tcp $HOME_NET any -> [95.181.198.186] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204835; rev:1;) alert tcp $HOME_NET any -> [64.128.175.37] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204836; rev:1;) alert tcp $HOME_NET any -> [109.234.36.198] 1616 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204837; rev:1;) alert tcp $HOME_NET any -> [185.86.149.175] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204838; rev:1;) alert tcp $HOME_NET any -> [144.202.23.191] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204839; rev:1;) alert tcp $HOME_NET any -> [144.202.23.191] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204840; rev:1;) alert tcp $HOME_NET any -> [35.202.16.252] 1336 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204841; rev:1;) alert tcp $HOME_NET any -> [185.197.75.161] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204842; rev:1;) alert tcp $HOME_NET any -> [24.247.182.7] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204843; rev:1;) alert tcp $HOME_NET any -> [184.106.153.73] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204844; rev:1;) alert tcp $HOME_NET any -> [94.140.125.119] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204845; rev:1;) alert tcp $HOME_NET any -> [188.120.243.46] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204846; rev:1;) alert tcp $HOME_NET any -> [194.5.250.162] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204847; rev:1;) alert tcp $HOME_NET any -> [185.86.150.220] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204848; rev:1;) alert tcp $HOME_NET any -> [74.132.135.120] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204849; rev:1;) alert tcp $HOME_NET any -> [185.65.202.12] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204850; rev:1;) alert tcp $HOME_NET any -> [213.183.51.208] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204851; rev:1;) alert tcp $HOME_NET any -> [198.61.196.18] 1801 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204852; rev:1;) alert tcp $HOME_NET any -> [37.60.177.67] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204853; rev:1;) alert tcp $HOME_NET any -> [193.37.212.4] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204854; rev:1;) alert tcp $HOME_NET any -> [85.217.170.186] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex malware distribution traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204855; rev:1;) alert tcp $HOME_NET any -> [37.187.61.1] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204856; rev:1;) alert tcp $HOME_NET any -> [62.210.248.53] 1337 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204857; rev:1;) alert tcp $HOME_NET any -> [92.63.197.150] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204858; rev:1;) alert tcp $HOME_NET any -> [83.166.242.16] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204859; rev:1;) alert tcp $HOME_NET any -> [185.148.241.50] 9030 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204860; rev:1;) alert tcp $HOME_NET any -> [97.87.172.0] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204861; rev:1;) alert tcp $HOME_NET any -> [185.25.50.204] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204862; rev:1;) alert tcp $HOME_NET any -> [81.176.239.195] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204863; rev:1;) alert tcp $HOME_NET any -> [75.108.123.165] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204864; rev:1;) alert tcp $HOME_NET any -> [185.158.251.55] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204865; rev:1;) alert tcp $HOME_NET any -> [185.244.150.230] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204866; rev:1;) alert tcp $HOME_NET any -> [172.106.33.46] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204867; rev:1;) alert tcp $HOME_NET any -> [72.241.62.188] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204868; rev:1;) alert tcp $HOME_NET any -> [192.48.88.22] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204869; rev:1;) alert tcp $HOME_NET any -> [176.10.118.144] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204870; rev:1;) alert tcp $HOME_NET any -> [95.181.198.136] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204871; rev:1;) alert tcp $HOME_NET any -> [185.238.136.67] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204872; rev:1;) alert tcp $HOME_NET any -> [95.181.198.233] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204873; rev:1;) alert tcp $HOME_NET any -> [146.0.72.183] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204874; rev:1;) alert tcp $HOME_NET any -> [185.246.155.68] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204875; rev:1;) alert tcp $HOME_NET any -> [95.181.198.34] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204876; rev:1;) alert tcp $HOME_NET any -> [37.252.9.68] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204877; rev:1;) alert tcp $HOME_NET any -> [178.162.132.76] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204878; rev:1;) alert tcp $HOME_NET any -> [83.166.240.191] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204879; rev:1;) alert tcp $HOME_NET any -> [47.74.242.150] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204880; rev:1;) alert tcp $HOME_NET any -> [3.16.149.119] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204881; rev:1;) alert tcp $HOME_NET any -> [185.203.118.214] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204882; rev:1;) alert tcp $HOME_NET any -> [77.222.63.66] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204883; rev:1;) alert tcp $HOME_NET any -> [185.129.49.19] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204884; rev:1;) alert tcp $HOME_NET any -> [83.166.247.211] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204885; rev:1;) alert tcp $HOME_NET any -> [199.227.126.250] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204886; rev:1;) alert tcp $HOME_NET any -> [24.113.161.184] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204887; rev:1;) alert tcp $HOME_NET any -> [185.158.251.119] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204888; rev:1;) alert tcp $HOME_NET any -> [37.252.4.107] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204889; rev:1;) alert tcp $HOME_NET any -> [176.32.32.6] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204890; rev:1;) alert tcp $HOME_NET any -> [172.222.97.179] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204891; rev:1;) alert tcp $HOME_NET any -> [46.17.47.4] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204892; rev:1;) alert tcp $HOME_NET any -> [72.189.124.41] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204893; rev:1;) alert tcp $HOME_NET any -> [24.247.181.226] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204894; rev:1;) alert tcp $HOME_NET any -> [185.159.129.100] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204895; rev:1;) alert tcp $HOME_NET any -> [185.158.249.174] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204896; rev:1;) alert tcp $HOME_NET any -> [174.105.235.178] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204897; rev:1;) alert tcp $HOME_NET any -> [95.213.144.203] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204898; rev:1;) alert tcp $HOME_NET any -> [185.244.30.108] 2216 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204899; rev:1;) alert tcp $HOME_NET any -> [94.140.125.158] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204900; rev:1;) alert tcp $HOME_NET any -> [24.247.181.155] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204901; rev:1;) alert tcp $HOME_NET any -> [85.204.74.146] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204902; rev:1;) alert tcp $HOME_NET any -> [24.227.222.4] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204903; rev:1;) alert tcp $HOME_NET any -> [75.102.135.23] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204904; rev:1;) alert tcp $HOME_NET any -> [185.231.246.107] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204905; rev:1;) alert tcp $HOME_NET any -> [51.38.146.101] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204906; rev:1;) alert tcp $HOME_NET any -> [51.38.146.101] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204907; rev:1;) alert tcp $HOME_NET any -> [46.229.214.92] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204908; rev:1;) alert tcp $HOME_NET any -> [74.134.5.113] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204909; rev:1;) alert tcp $HOME_NET any -> [91.230.60.116] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204910; rev:1;) alert tcp $HOME_NET any -> [95.181.198.115] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204911; rev:1;) alert tcp $HOME_NET any -> [95.181.198.116] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204912; rev:1;) alert tcp $HOME_NET any -> [95.181.198.72] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204913; rev:1;) alert tcp $HOME_NET any -> [66.60.121.58] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204914; rev:1;) alert tcp $HOME_NET any -> [74.140.160.33] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204915; rev:1;) alert tcp $HOME_NET any -> [65.31.241.133] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204916; rev:1;) alert tcp $HOME_NET any -> [206.130.141.255] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204917; rev:1;) alert tcp $HOME_NET any -> [145.239.140.188] 60 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204918; rev:1;) alert tcp $HOME_NET any -> [192.162.244.170] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204919; rev:1;) alert tcp $HOME_NET any -> [92.38.132.118] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204920; rev:1;) alert tcp $HOME_NET any -> [92.223.105.10] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204921; rev:1;) alert tcp $HOME_NET any -> [24.119.69.70] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204922; rev:1;) alert tcp $HOME_NET any -> [188.227.18.135] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204923; rev:1;) alert tcp $HOME_NET any -> [185.183.96.145] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204924; rev:1;) alert tcp $HOME_NET any -> [76.181.182.166] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204925; rev:1;) alert tcp $HOME_NET any -> [174.105.233.82] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204926; rev:1;) alert tcp $HOME_NET any -> [54.39.218.118] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204927; rev:1;) alert tcp $HOME_NET any -> [185.125.205.73] 1818 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204928; rev:1;) alert tcp $HOME_NET any -> [54.39.218.127] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204929; rev:1;) alert tcp $HOME_NET any -> [104.236.212.82] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204930; rev:1;) alert tcp $HOME_NET any -> [192.48.88.172] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204931; rev:1;) alert tcp $HOME_NET any -> [192.48.88.118] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204932; rev:1;) alert tcp $HOME_NET any -> [144.217.37.230] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204933; rev:1;) alert tcp $HOME_NET any -> [66.70.205.140] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204934; rev:1;) alert tcp $HOME_NET any -> [205.157.150.98] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204935; rev:1;) alert tcp $HOME_NET any -> [207.140.14.141] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204936; rev:1;) alert tcp $HOME_NET any -> [71.193.151.218] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204937; rev:1;) alert tcp $HOME_NET any -> [73.67.78.5] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204938; rev:1;) alert tcp $HOME_NET any -> [67.49.38.139] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204939; rev:1;) alert tcp $HOME_NET any -> [47.254.153.36] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204940; rev:1;) alert tcp $HOME_NET any -> [68.4.173.10] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204941; rev:1;) alert tcp $HOME_NET any -> [140.190.54.187] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204942; rev:1;) alert tcp $HOME_NET any -> [54.39.81.120] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204943; rev:1;) alert tcp $HOME_NET any -> [194.147.35.87] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204944; rev:1;) alert tcp $HOME_NET any -> [185.121.166.26] 8057 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204945; rev:1;) alert tcp $HOME_NET any -> [185.127.27.96] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204946; rev:1;) alert tcp $HOME_NET any -> [185.48.57.117] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204947; rev:1;) alert tcp $HOME_NET any -> [83.217.10.56] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204948; rev:1;) alert tcp $HOME_NET any -> [81.177.135.191] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204949; rev:1;) alert tcp $HOME_NET any -> [54.39.81.123] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204950; rev:1;) alert tcp $HOME_NET any -> [185.86.151.152] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204951; rev:1;) alert tcp $HOME_NET any -> [193.183.98.122] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204952; rev:1;) alert tcp $HOME_NET any -> [185.144.29.92] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204953; rev:1;) alert tcp $HOME_NET any -> [85.143.220.184] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204954; rev:1;) alert tcp $HOME_NET any -> [68.3.14.71] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204955; rev:1;) alert tcp $HOME_NET any -> [69.57.26.30] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204956; rev:1;) alert tcp $HOME_NET any -> [95.215.44.192] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204957; rev:1;) alert tcp $HOME_NET any -> [185.117.72.67] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204958; rev:1;) alert tcp $HOME_NET any -> [54.39.74.123] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204959; rev:1;) alert tcp $HOME_NET any -> [185.45.193.157] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204960; rev:1;) alert tcp $HOME_NET any -> [95.181.179.66] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204961; rev:1;) alert tcp $HOME_NET any -> [91.192.100.20] 2556 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204962; rev:1;) alert tcp $HOME_NET any -> [190.181.235.50] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204963; rev:1;) alert tcp $HOME_NET any -> [80.87.193.7] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204964; rev:1;) alert tcp $HOME_NET any -> [185.94.96.226] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204965; rev:1;) alert tcp $HOME_NET any -> [94.140.125.232] 8443 (msg:"SSLBL: Traffic to malicious host (likely CoinMiner C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204966; rev:1;) alert tcp $HOME_NET any -> [192.42.119.41] 443 (msg:"SSLBL: Traffic to malicious host (likely Sinkhole traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204967; rev:1;) alert tcp $HOME_NET any -> [185.92.74.67] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204968; rev:1;) alert tcp $HOME_NET any -> [95.179.144.131] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204969; rev:1;) alert tcp $HOME_NET any -> [46.29.164.171] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204970; rev:1;) alert tcp $HOME_NET any -> [46.36.220.116] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204971; rev:1;) alert tcp $HOME_NET any -> [185.68.93.59] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204972; rev:1;) alert tcp $HOME_NET any -> [31.214.157.60] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204973; rev:1;) alert tcp $HOME_NET any -> [98.177.188.224] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204974; rev:1;) alert tcp $HOME_NET any -> [46.148.26.86] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204975; rev:1;) alert tcp $HOME_NET any -> [185.22.154.66] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204976; rev:1;) alert tcp $HOME_NET any -> [198.46.207.107] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204977; rev:1;) alert tcp $HOME_NET any -> [185.77.129.125] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204978; rev:1;) alert tcp $HOME_NET any -> [68.45.243.125] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204979; rev:1;) alert tcp $HOME_NET any -> [71.94.101.25] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204980; rev:1;) alert tcp $HOME_NET any -> [92.38.130.63] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204981; rev:1;) alert tcp $HOME_NET any -> [110.232.86.52] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204982; rev:1;) alert tcp $HOME_NET any -> [51.68.184.101] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204983; rev:1;) alert tcp $HOME_NET any -> [136.243.189.204] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204984; rev:1;) alert tcp $HOME_NET any -> [185.251.38.178] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204985; rev:1;) alert tcp $HOME_NET any -> [37.235.251.150] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204986; rev:1;) alert tcp $HOME_NET any -> [95.181.179.80] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204987; rev:1;) alert tcp $HOME_NET any -> [5.2.67.212] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204988; rev:1;) alert tcp $HOME_NET any -> [93.189.43.230] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204989; rev:1;) alert tcp $HOME_NET any -> [185.17.123.248] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204990; rev:1;) alert tcp $HOME_NET any -> [54.39.175.179] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204991; rev:1;) alert tcp $HOME_NET any -> [186.47.103.226] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204992; rev:1;) alert tcp $HOME_NET any -> [192.252.209.44] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204993; rev:1;) alert tcp $HOME_NET any -> [107.175.127.147] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204994; rev:1;) alert tcp $HOME_NET any -> [46.105.131.72] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204995; rev:1;) alert tcp $HOME_NET any -> [185.189.132.134] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204996; rev:1;) alert tcp $HOME_NET any -> [185.231.154.40] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204997; rev:1;) alert tcp $HOME_NET any -> [185.94.99.7] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204998; rev:1;) alert tcp $HOME_NET any -> [54.39.124.202] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204999; rev:1;) alert tcp $HOME_NET any -> [23.226.138.169] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205000; rev:1;) alert tcp $HOME_NET any -> [46.29.160.120] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205001; rev:1;) alert tcp $HOME_NET any -> [93.170.105.33] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205002; rev:1;) alert tcp $HOME_NET any -> [5.104.41.188] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205003; rev:1;) alert tcp $HOME_NET any -> [202.137.121.14] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205004; rev:1;) alert tcp $HOME_NET any -> [185.251.39.118] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205005; rev:1;) alert tcp $HOME_NET any -> [185.161.211.79] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205006; rev:1;) alert tcp $HOME_NET any -> [31.31.161.165] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205007; rev:1;) alert tcp $HOME_NET any -> [54.39.167.242] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205008; rev:1;) alert tcp $HOME_NET any -> [54.39.167.242] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205009; rev:1;) alert tcp $HOME_NET any -> [185.246.153.252] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205010; rev:1;) alert tcp $HOME_NET any -> [46.29.165.207] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205011; rev:1;) alert tcp $HOME_NET any -> [185.221.153.27] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205012; rev:1;) alert tcp $HOME_NET any -> [23.94.41.215] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205013; rev:1;) alert tcp $HOME_NET any -> [212.23.70.149] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205014; rev:1;) alert tcp $HOME_NET any -> [87.121.98.37] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205015; rev:1;) alert tcp $HOME_NET any -> [190.145.74.84] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205016; rev:1;) alert tcp $HOME_NET any -> [31.179.162.86] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205017; rev:1;) alert tcp $HOME_NET any -> [167.114.13.91] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205018; rev:1;) alert tcp $HOME_NET any -> [179.127.254.196] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205019; rev:1;) alert tcp $HOME_NET any -> [193.187.91.238] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205020; rev:1;) alert tcp $HOME_NET any -> [187.190.249.230] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205021; rev:1;) alert tcp $HOME_NET any -> [71.13.140.89] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205022; rev:1;) alert tcp $HOME_NET any -> [169.1.39.89] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205023; rev:1;) alert tcp $HOME_NET any -> [81.19.210.19] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205024; rev:1;) alert tcp $HOME_NET any -> [142.44.207.84] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205025; rev:1;) alert tcp $HOME_NET any -> [173.239.128.74] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205026; rev:1;) alert tcp $HOME_NET any -> [105.27.171.234] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205027; rev:1;) alert tcp $HOME_NET any -> [91.235.136.114] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205028; rev:1;) alert tcp $HOME_NET any -> [185.86.150.214] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205029; rev:1;) alert tcp $HOME_NET any -> [42.115.91.177] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205030; rev:1;) alert tcp $HOME_NET any -> [185.66.227.183] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205031; rev:1;) alert tcp $HOME_NET any -> [181.113.17.230] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205032; rev:1;) alert tcp $HOME_NET any -> [198.100.157.163] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205033; rev:1;) alert tcp $HOME_NET any -> [91.192.100.15] 1988 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205034; rev:1;) alert tcp $HOME_NET any -> [115.78.3.170] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205035; rev:1;) alert tcp $HOME_NET any -> [103.110.91.118] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205036; rev:1;) alert tcp $HOME_NET any -> [91.227.16.125] 443 (msg:"SSLBL: Traffic to malicious host (likely PlugX C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205037; rev:1;) alert tcp $HOME_NET any -> [193.187.91.243] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205038; rev:1;) alert tcp $HOME_NET any -> [170.81.32.66] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205039; rev:1;) alert tcp $HOME_NET any -> [217.147.170.72] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205040; rev:1;) alert tcp $HOME_NET any -> [70.48.101.54] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205041; rev:1;) alert tcp $HOME_NET any -> [185.77.129.136] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205042; rev:1;) alert tcp $HOME_NET any -> [103.10.145.197] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205043; rev:1;) alert tcp $HOME_NET any -> [185.205.209.27] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205044; rev:1;) alert tcp $HOME_NET any -> [185.173.94.186] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205045; rev:1;) alert tcp $HOME_NET any -> [185.154.21.160] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205046; rev:1;) alert tcp $HOME_NET any -> [185.147.237.35] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205047; rev:1;) alert tcp $HOME_NET any -> [128.201.92.41] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205048; rev:1;) alert tcp $HOME_NET any -> [81.0.118.50] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205049; rev:1;) alert tcp $HOME_NET any -> [185.63.190.149] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205050; rev:1;) alert tcp $HOME_NET any -> [192.48.88.92] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205051; rev:1;) alert tcp $HOME_NET any -> [66.229.97.133] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205052; rev:1;) alert tcp $HOME_NET any -> [185.62.189.148] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205053; rev:1;) alert tcp $HOME_NET any -> [182.50.64.148] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205054; rev:1;) alert tcp $HOME_NET any -> [223.25.64.119] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205055; rev:1;) alert tcp $HOME_NET any -> [93.189.46.215] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205056; rev:1;) alert tcp $HOME_NET any -> [145.249.107.72] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205057; rev:1;) alert tcp $HOME_NET any -> [92.38.132.51] 80 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205058; rev:1;) alert tcp $HOME_NET any -> [92.38.132.51] 443 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205059; rev:1;) alert tcp $HOME_NET any -> [82.222.40.119] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205060; rev:1;) alert tcp $HOME_NET any -> [116.212.152.12] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205061; rev:1;) alert tcp $HOME_NET any -> [144.121.143.129] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205062; rev:1;) alert tcp $HOME_NET any -> [192.188.120.164] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205063; rev:1;) alert tcp $HOME_NET any -> [172.245.210.10] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205064; rev:1;) alert tcp $HOME_NET any -> [172.245.210.10] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205065; rev:1;) alert tcp $HOME_NET any -> [97.78.222.18] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205066; rev:1;) alert tcp $HOME_NET any -> [47.74.44.209] 443 (msg:"SSLBL: Traffic to malicious host (likely Smoke Loader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205067; rev:1;) alert tcp $HOME_NET any -> [118.97.119.218] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205068; rev:1;) alert tcp $HOME_NET any -> [185.42.52.126] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205069; rev:1;) alert tcp $HOME_NET any -> [94.232.20.113] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205070; rev:1;) alert tcp $HOME_NET any -> [95.154.80.154] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205071; rev:1;) alert tcp $HOME_NET any -> [185.200.60.138] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205072; rev:1;) alert tcp $HOME_NET any -> [197.232.243.36] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205073; rev:1;) alert tcp $HOME_NET any -> [94.181.47.198] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205074; rev:1;) alert tcp $HOME_NET any -> [103.111.53.126] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205075; rev:1;) alert tcp $HOME_NET any -> [89.223.94.240] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205076; rev:1;) alert tcp $HOME_NET any -> [103.111.55.218] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205077; rev:1;) alert tcp $HOME_NET any -> [181.174.112.74] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205078; rev:1;) alert tcp $HOME_NET any -> [46.149.182.112] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205079; rev:1;) alert tcp $HOME_NET any -> [140.82.24.184] 443 (msg:"SSLBL: Traffic to malicious host (likely Neutrino C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205080; rev:1;) alert tcp $HOME_NET any -> [182.253.20.66] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205081; rev:1;) alert tcp $HOME_NET any -> [67.79.15.106] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205082; rev:1;) alert tcp $HOME_NET any -> [121.58.242.206] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205083; rev:1;) alert tcp $HOME_NET any -> [62.141.94.107] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205084; rev:1;) alert tcp $HOME_NET any -> [77.222.55.7] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205085; rev:1;) alert tcp $HOME_NET any -> [104.254.10.200] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205086; rev:1;) alert tcp $HOME_NET any -> [91.201.65.107] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205087; rev:1;) alert tcp $HOME_NET any -> [81.17.86.112] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205088; rev:1;) alert tcp $HOME_NET any -> [109.173.104.236] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205089; rev:1;) alert tcp $HOME_NET any -> [31.220.45.151] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205090; rev:1;) alert tcp $HOME_NET any -> [185.45.193.111] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205091; rev:1;) alert tcp $HOME_NET any -> [185.214.10.163] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205092; rev:1;) alert tcp $HOME_NET any -> [197.232.50.85] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205093; rev:1;) alert tcp $HOME_NET any -> [93.189.41.44] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205094; rev:1;) alert tcp $HOME_NET any -> [185.159.82.131] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205095; rev:1;) alert tcp $HOME_NET any -> [185.231.153.228] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205096; rev:1;) alert tcp $HOME_NET any -> [185.61.138.181] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205097; rev:1;) alert tcp $HOME_NET any -> [91.217.90.133] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205098; rev:1;) alert tcp $HOME_NET any -> [195.254.227.201] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205099; rev:1;) alert tcp $HOME_NET any -> [178.116.83.49] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205100; rev:1;) alert tcp $HOME_NET any -> [111.220.125.141] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205101; rev:1;) alert tcp $HOME_NET any -> [88.87.231.162] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205102; rev:1;) alert tcp $HOME_NET any -> [93.189.41.7] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205103; rev:1;) alert tcp $HOME_NET any -> [195.123.216.145] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205104; rev:1;) alert tcp $HOME_NET any -> [185.212.131.19] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205105; rev:1;) alert tcp $HOME_NET any -> [178.132.7.104] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205106; rev:1;) alert tcp $HOME_NET any -> [185.15.208.110] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205107; rev:1;) alert tcp $HOME_NET any -> [5.135.252.103] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205108; rev:1;) alert tcp $HOME_NET any -> [47.49.168.50] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205109; rev:1;) alert tcp $HOME_NET any -> [41.211.9.234] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205110; rev:1;) alert tcp $HOME_NET any -> [176.10.170.65] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205111; rev:1;) alert tcp $HOME_NET any -> [51.68.188.128] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205112; rev:1;) alert tcp $HOME_NET any -> [185.75.90.192] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205113; rev:1;) alert tcp $HOME_NET any -> [68.169.161.5] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205114; rev:1;) alert tcp $HOME_NET any -> [96.43.40.221] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205115; rev:1;) alert tcp $HOME_NET any -> [47.254.192.42] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205116; rev:1;) alert tcp $HOME_NET any -> [94.142.138.211] 443 (msg:"SSLBL: Traffic to malicious host (likely AgentTesla C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205117; rev:1;) alert tcp $HOME_NET any -> [36.67.215.93] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205118; rev:1;) alert tcp $HOME_NET any -> [95.142.40.16] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205119; rev:1;) alert tcp $HOME_NET any -> [212.225.214.249] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205120; rev:1;) alert tcp $HOME_NET any -> [180.241.112.37] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205121; rev:1;) alert tcp $HOME_NET any -> [185.228.233.168] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205122; rev:1;) alert tcp $HOME_NET any -> [185.62.188.207] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205123; rev:1;) alert tcp $HOME_NET any -> [143.202.145.43] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205124; rev:1;) alert tcp $HOME_NET any -> [5.188.52.204] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205125; rev:1;) alert tcp $HOME_NET any -> [93.170.123.68] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205126; rev:1;) alert tcp $HOME_NET any -> [91.192.100.52] 6654 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205127; rev:1;) alert tcp $HOME_NET any -> [185.163.100.30] 8789 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205128; rev:1;) alert tcp $HOME_NET any -> [24.231.0.139] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205129; rev:1;) alert tcp $HOME_NET any -> [149.129.223.136] 443 (msg:"SSLBL: Traffic to malicious host (likely Godzilla C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205130; rev:1;) alert tcp $HOME_NET any -> [192.42.116.41] 443 (msg:"SSLBL: Traffic to malicious host (likely Sinkhole traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205131; rev:1;) alert tcp $HOME_NET any -> [84.237.228.13] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205132; rev:1;) alert tcp $HOME_NET any -> [85.9.212.117] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205133; rev:1;) alert tcp $HOME_NET any -> [198.53.63.120] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205134; rev:1;) alert tcp $HOME_NET any -> [5.206.224.22] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205135; rev:1;) alert tcp $HOME_NET any -> [185.121.166.77] 8057 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205136; rev:1;) alert tcp $HOME_NET any -> [185.60.133.246] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205137; rev:1;) alert tcp $HOME_NET any -> [68.109.83.22] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205138; rev:1;) alert tcp $HOME_NET any -> [87.117.146.63] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205139; rev:1;) alert tcp $HOME_NET any -> [92.38.135.168] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205140; rev:1;) alert tcp $HOME_NET any -> [83.167.164.81] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205141; rev:1;) alert tcp $HOME_NET any -> [185.129.193.221] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205142; rev:1;) alert tcp $HOME_NET any -> [91.214.119.37] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205143; rev:1;) alert tcp $HOME_NET any -> [149.129.129.193] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205144; rev:1;) alert tcp $HOME_NET any -> [185.148.241.52] 7219 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205145; rev:1;) alert tcp $HOME_NET any -> [185.148.241.56] 8511 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205146; rev:1;) alert tcp $HOME_NET any -> [185.121.166.106] 2112 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205147; rev:1;) alert tcp $HOME_NET any -> [185.67.0.108] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205148; rev:1;) alert tcp $HOME_NET any -> [118.200.151.113] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205149; rev:1;) alert tcp $HOME_NET any -> [184.68.167.42] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205150; rev:1;) alert tcp $HOME_NET any -> [65.40.207.151] 995 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205151; rev:1;) alert tcp $HOME_NET any -> [96.31.109.51] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205152; rev:1;) alert tcp $HOME_NET any -> [185.206.146.75] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205153; rev:1;) alert tcp $HOME_NET any -> [185.125.205.69] 3030 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205154; rev:1;) alert tcp $HOME_NET any -> [82.202.166.170] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205155; rev:1;) alert tcp $HOME_NET any -> [185.148.241.38] 1555 (msg:"SSLBL: Traffic to malicious host (likely JBifrost C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205156; rev:1;) alert tcp $HOME_NET any -> [185.227.83.50] 2087 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205157; rev:1;) alert tcp $HOME_NET any -> [178.209.42.109] 4299 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205158; rev:1;) alert tcp $HOME_NET any -> [185.227.83.35] 2808 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205159; rev:1;) alert tcp $HOME_NET any -> [198.12.90.76] 1989 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205160; rev:1;) alert tcp $HOME_NET any -> [185.141.61.111] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205161; rev:1;) alert tcp $HOME_NET any -> [185.128.24.20] 2679 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205162; rev:1;) alert tcp $HOME_NET any -> [185.174.172.132] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205163; rev:1;) alert tcp $HOME_NET any -> [185.16.41.172] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205164; rev:1;) alert tcp $HOME_NET any -> [185.159.80.106] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205165; rev:1;) alert tcp $HOME_NET any -> [5.188.228.47] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205166; rev:1;) alert tcp $HOME_NET any -> [5.188.228.47] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205167; rev:1;) alert tcp $HOME_NET any -> [213.152.161.234] 15086 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205168; rev:1;) alert tcp $HOME_NET any -> [185.125.205.72] 20 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205169; rev:1;) alert tcp $HOME_NET any -> [70.79.178.120] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205170; rev:1;) alert tcp $HOME_NET any -> [185.148.241.59] 2888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205171; rev:1;) alert tcp $HOME_NET any -> [62.113.238.144] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205172; rev:1;) alert tcp $HOME_NET any -> [185.208.211.109] 2097 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205173; rev:1;) alert tcp $HOME_NET any -> [185.227.83.39] 1373 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205174; rev:1;) alert tcp $HOME_NET any -> [185.208.211.112] 20901 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205175; rev:1;) alert tcp $HOME_NET any -> [91.192.100.3] 1153 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205176; rev:1;) alert tcp $HOME_NET any -> [185.4.29.236] 8057 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205177; rev:1;) alert tcp $HOME_NET any -> [185.148.241.37] 4041 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205178; rev:1;) alert tcp $HOME_NET any -> [110.10.176.124] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205179; rev:1;) alert tcp $HOME_NET any -> [181.215.247.69] 8181 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205180; rev:1;) alert tcp $HOME_NET any -> [185.135.83.35] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205181; rev:1;) alert tcp $HOME_NET any -> [185.208.211.132] 6654 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205182; rev:1;) alert tcp $HOME_NET any -> [212.83.61.213] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205183; rev:1;) alert tcp $HOME_NET any -> [185.208.211.103] 2888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205184; rev:1;) alert tcp $HOME_NET any -> [208.78.58.170] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205185; rev:1;) alert tcp $HOME_NET any -> [118.91.178.101] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205186; rev:1;) alert tcp $HOME_NET any -> [178.78.202.189] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205187; rev:1;) alert tcp $HOME_NET any -> [185.227.83.35] 1986 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205188; rev:1;) alert tcp $HOME_NET any -> [185.224.249.29] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205189; rev:1;) alert tcp $HOME_NET any -> [185.125.205.87] 7600 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205190; rev:1;) alert tcp $HOME_NET any -> [185.125.205.70] 4455 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205191; rev:1;) alert tcp $HOME_NET any -> [89.117.107.13] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205192; rev:1;) alert tcp $HOME_NET any -> [185.227.83.41] 7720 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205193; rev:1;) alert tcp $HOME_NET any -> [194.68.23.182] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205194; rev:1;) alert tcp $HOME_NET any -> [185.208.211.73] 33524 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205195; rev:1;) alert tcp $HOME_NET any -> [201.174.70.238] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205196; rev:1;) alert tcp $HOME_NET any -> [90.69.224.122] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205197; rev:1;) alert tcp $HOME_NET any -> [89.105.194.234] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205198; rev:1;) alert tcp $HOME_NET any -> [185.209.85.73] 8088 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205199; rev:1;) alert tcp $HOME_NET any -> [185.208.211.19] 4045 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205200; rev:1;) alert tcp $HOME_NET any -> [95.181.179.31] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205201; rev:1;) alert tcp $HOME_NET any -> [185.148.241.56] 5888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205202; rev:1;) alert tcp $HOME_NET any -> [185.208.211.51] 1990 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205203; rev:1;) alert tcp $HOME_NET any -> [45.56.2.247] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205204; rev:1;) alert tcp $HOME_NET any -> [185.148.145.197] 2672 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205205; rev:1;) alert tcp $HOME_NET any -> [91.192.100.27] 1373 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205206; rev:1;) alert tcp $HOME_NET any -> [181.215.247.173] 8890 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205207; rev:1;) alert tcp $HOME_NET any -> [181.215.247.215] 6420 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205208; rev:1;) alert tcp $HOME_NET any -> [185.227.83.35] 3885 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205209; rev:1;) alert tcp $HOME_NET any -> [185.125.205.79] 8970 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205210; rev:1;) alert tcp $HOME_NET any -> [213.252.247.235] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205211; rev:1;) alert tcp $HOME_NET any -> [73.107.42.28] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205212; rev:1;) alert tcp $HOME_NET any -> [185.227.83.49] 7119 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205213; rev:1;) alert tcp $HOME_NET any -> [185.148.241.49] 9555 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205214; rev:1;) alert tcp $HOME_NET any -> [185.227.83.44] 5888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205215; rev:1;) alert tcp $HOME_NET any -> [185.227.83.36] 7748 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205216; rev:1;) alert tcp $HOME_NET any -> [185.125.205.86] 8088 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205217; rev:1;) alert tcp $HOME_NET any -> [5.188.232.238] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205218; rev:1;) alert tcp $HOME_NET any -> [185.227.83.45] 5007 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205219; rev:1;) alert tcp $HOME_NET any -> [47.40.90.210] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205220; rev:1;) alert tcp $HOME_NET any -> [67.159.157.150] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205221; rev:1;) alert tcp $HOME_NET any -> [146.255.79.176] 1177 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205222; rev:1;) alert tcp $HOME_NET any -> [151.106.30.239] 1989 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205223; rev:1;) alert tcp $HOME_NET any -> [91.192.100.4] 1918 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205224; rev:1;) alert tcp $HOME_NET any -> [91.192.100.22] 8420 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205225; rev:1;) alert tcp $HOME_NET any -> [187.163.215.32] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205226; rev:1;) alert tcp $HOME_NET any -> [185.208.211.208] 7734 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205227; rev:1;) alert tcp $HOME_NET any -> [138.34.32.74] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205228; rev:1;) alert tcp $HOME_NET any -> [91.192.100.9] 1153 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205229; rev:1;) alert tcp $HOME_NET any -> [45.32.235.225] 1983 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205230; rev:1;) alert tcp $HOME_NET any -> [185.148.241.39] 5786 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205231; rev:1;) alert tcp $HOME_NET any -> [185.208.211.42] 8088 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205232; rev:1;) alert tcp $HOME_NET any -> [181.215.247.211] 8890 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205233; rev:1;) alert tcp $HOME_NET any -> [185.208.211.12] 2097 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205234; rev:1;) alert tcp $HOME_NET any -> [181.215.247.33] 2343 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205235; rev:1;) alert tcp $HOME_NET any -> [185.209.85.188] 665 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205236; rev:1;) alert tcp $HOME_NET any -> [185.209.85.75] 2889 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205237; rev:1;) alert tcp $HOME_NET any -> [185.148.241.43] 8890 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205238; rev:1;) alert tcp $HOME_NET any -> [185.208.211.139] 4040 (msg:"SSLBL: Traffic to malicious host (likely JBifrost C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205239; rev:1;) alert tcp $HOME_NET any -> [185.115.32.166] 2000 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205240; rev:1;) alert tcp $HOME_NET any -> [200.2.126.98] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205241; rev:1;) alert tcp $HOME_NET any -> [185.209.85.68] 2442 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205242; rev:1;) alert tcp $HOME_NET any -> [185.209.85.182] 2222 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205243; rev:1;) alert tcp $HOME_NET any -> [91.192.100.16] 2888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205244; rev:1;) alert tcp $HOME_NET any -> [185.209.85.183] 90 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205245; rev:1;) alert tcp $HOME_NET any -> [62.31.150.202] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205246; rev:1;) alert tcp $HOME_NET any -> [86.61.177.139] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205247; rev:1;) alert tcp $HOME_NET any -> [213.183.59.130] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205248; rev:1;) alert tcp $HOME_NET any -> [181.174.165.162] 443 (msg:"SSLBL: Traffic to malicious host (likely Neutrino C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205249; rev:1;) alert tcp $HOME_NET any -> [144.76.237.29] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205250; rev:1;) alert tcp $HOME_NET any -> [185.148.241.58] 5050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205251; rev:1;) alert tcp $HOME_NET any -> [185.209.85.67] 6969 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205252; rev:1;) alert tcp $HOME_NET any -> [138.34.32.218] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205253; rev:1;) alert tcp $HOME_NET any -> [41.211.9.226] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205254; rev:1;) alert tcp $HOME_NET any -> [185.208.211.137] 4546 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205255; rev:1;) alert tcp $HOME_NET any -> [185.209.85.75] 7219 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205256; rev:1;) alert tcp $HOME_NET any -> [36.74.100.211] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205257; rev:1;) alert tcp $HOME_NET any -> [185.208.211.202] 2222 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205258; rev:1;) alert tcp $HOME_NET any -> [185.209.85.65] 7177 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205259; rev:1;) alert tcp $HOME_NET any -> [194.68.59.50] 2311 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205260; rev:1;) alert tcp $HOME_NET any -> [185.148.241.41] 2888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205261; rev:1;) alert tcp $HOME_NET any -> [185.209.85.186] 6420 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205262; rev:1;) alert tcp $HOME_NET any -> [185.209.85.66] 2675 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205263; rev:1;) alert tcp $HOME_NET any -> [185.148.241.53] 4545 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205264; rev:1;) alert tcp $HOME_NET any -> [188.124.167.132] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205265; rev:1;) alert tcp $HOME_NET any -> [185.209.85.180] 7890 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205266; rev:1;) alert tcp $HOME_NET any -> [46.21.154.83] 14486 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205267; rev:1;) alert tcp $HOME_NET any -> [146.255.79.180] 1177 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205268; rev:1;) alert tcp $HOME_NET any -> [204.16.247.51] 1414 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205269; rev:1;) alert tcp $HOME_NET any -> [185.208.211.2] 1818 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205270; rev:1;) alert tcp $HOME_NET any -> [185.208.211.218] 7751 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205271; rev:1;) alert tcp $HOME_NET any -> [181.215.247.89] 2543 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205272; rev:1;) alert tcp $HOME_NET any -> [66.98.121.192] 5555 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205273; rev:1;) alert tcp $HOME_NET any -> [206.123.145.108] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205274; rev:1;) alert tcp $HOME_NET any -> [155.133.31.21] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205275; rev:1;) alert tcp $HOME_NET any -> [185.209.85.64] 4001 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205276; rev:1;) alert tcp $HOME_NET any -> [104.247.219.27] 1717 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205277; rev:1;) alert tcp $HOME_NET any -> [181.215.247.51] 5030 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205278; rev:1;) alert tcp $HOME_NET any -> [185.208.211.76] 3033 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205279; rev:1;) alert tcp $HOME_NET any -> [190.4.189.129] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205280; rev:1;) alert tcp $HOME_NET any -> [146.255.79.181] 1818 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205281; rev:1;) alert tcp $HOME_NET any -> [87.255.24.238] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205282; rev:1;) alert tcp $HOME_NET any -> [85.143.202.82] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205283; rev:1;) alert tcp $HOME_NET any -> [182.253.210.130] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205284; rev:1;) alert tcp $HOME_NET any -> [70.169.12.141] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205285; rev:1;) alert tcp $HOME_NET any -> [77.246.158.28] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205286; rev:1;) alert tcp $HOME_NET any -> [24.228.185.224] 2222 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205287; rev:1;) alert tcp $HOME_NET any -> [185.148.241.51] 3011 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205288; rev:1;) alert tcp $HOME_NET any -> [185.209.85.183] 5888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205289; rev:1;) alert tcp $HOME_NET any -> [200.111.167.227] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205290; rev:1;) alert tcp $HOME_NET any -> [185.209.85.65] 4040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205291; rev:1;) alert tcp $HOME_NET any -> [181.215.247.208] 20903 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205292; rev:1;) alert tcp $HOME_NET any -> [103.43.75.105] 1972 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205293; rev:1;) alert tcp $HOME_NET any -> [158.58.131.54] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205294; rev:1;) alert tcp $HOME_NET any -> [181.215.247.66] 8088 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205295; rev:1;) alert tcp $HOME_NET any -> [185.208.211.139] 1864 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205296; rev:1;) alert tcp $HOME_NET any -> [46.47.50.44] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205297; rev:1;) alert tcp $HOME_NET any -> [185.141.62.100] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205298; rev:1;) alert tcp $HOME_NET any -> [46.173.218.66] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205299; rev:1;) alert tcp $HOME_NET any -> [109.234.35.177] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205300; rev:1;) alert tcp $HOME_NET any -> [185.148.241.59] 6692 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205301; rev:1;) alert tcp $HOME_NET any -> [185.168.185.218] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205302; rev:1;) alert tcp $HOME_NET any -> [66.189.228.49] 995 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205303; rev:1;) alert tcp $HOME_NET any -> [190.7.199.42] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205304; rev:1;) alert tcp $HOME_NET any -> [93.109.242.134] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205305; rev:1;) alert tcp $HOME_NET any -> [185.125.205.69] 6897 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205306; rev:1;) alert tcp $HOME_NET any -> [65.30.201.40] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205307; rev:1;) alert tcp $HOME_NET any -> [146.255.79.162] 1111 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205308; rev:1;) alert tcp $HOME_NET any -> [185.209.85.188] 3333 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205309; rev:1;) alert tcp $HOME_NET any -> [185.208.211.199] 8773 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205310; rev:1;) alert tcp $HOME_NET any -> [185.117.75.121] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205311; rev:1;) alert tcp $HOME_NET any -> [91.192.100.57] 5050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205312; rev:1;) alert tcp $HOME_NET any -> [185.125.205.70] 2060 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205313; rev:1;) alert tcp $HOME_NET any -> [198.50.170.69] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205314; rev:1;) alert tcp $HOME_NET any -> [144.48.51.8] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205315; rev:1;) alert tcp $HOME_NET any -> [109.86.227.152] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205316; rev:1;) alert tcp $HOME_NET any -> [93.170.123.78] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205317; rev:1;) alert tcp $HOME_NET any -> [66.232.212.59] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205318; rev:1;) alert tcp $HOME_NET any -> [83.168.83.29] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205319; rev:1;) alert tcp $HOME_NET any -> [80.53.57.146] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205320; rev:1;) alert tcp $HOME_NET any -> [194.68.59.69] 7791 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205321; rev:1;) alert tcp $HOME_NET any -> [85.143.174.206] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205322; rev:1;) alert tcp $HOME_NET any -> [71.85.72.9] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205323; rev:1;) alert tcp $HOME_NET any -> [185.227.83.55] 2675 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205324; rev:1;) alert tcp $HOME_NET any -> [185.227.83.52] 1987 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205325; rev:1;) alert tcp $HOME_NET any -> [209.121.142.214] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205326; rev:1;) alert tcp $HOME_NET any -> [185.48.56.134] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205327; rev:1;) alert tcp $HOME_NET any -> [5.187.0.158] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205328; rev:1;) alert tcp $HOME_NET any -> [185.148.241.41] 6540 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205329; rev:1;) alert tcp $HOME_NET any -> [172.94.47.7] 6014 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205330; rev:1;) alert tcp $HOME_NET any -> [74.118.139.79] 1414 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205331; rev:1;) alert tcp $HOME_NET any -> [109.234.35.166] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205332; rev:1;) alert tcp $HOME_NET any -> [91.192.100.36] 2675 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205333; rev:1;) alert tcp $HOME_NET any -> [185.220.68.230] 1989 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205334; rev:1;) alert tcp $HOME_NET any -> [185.84.181.72] 4040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205335; rev:1;) alert tcp $HOME_NET any -> [154.127.59.97] 1780 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205336; rev:1;) alert tcp $HOME_NET any -> [185.180.198.78] 443 (msg:"SSLBL: Traffic to malicious host (likely Trickbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205337; rev:1;) alert tcp $HOME_NET any -> [185.159.130.87] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205338; rev:1;) alert tcp $HOME_NET any -> [46.72.175.17] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205339; rev:1;) alert tcp $HOME_NET any -> [172.81.133.35] 1989 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205340; rev:1;) alert tcp $HOME_NET any -> [185.209.85.186] 6022 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205341; rev:1;) alert tcp $HOME_NET any -> [185.148.241.36] 2071 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205342; rev:1;) alert tcp $HOME_NET any -> [185.209.85.182] 7063 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205343; rev:1;) alert tcp $HOME_NET any -> [92.55.251.211] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205344; rev:1;) alert tcp $HOME_NET any -> [185.208.211.60] 586 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205345; rev:1;) alert tcp $HOME_NET any -> [181.215.247.5] 2442 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205346; rev:1;) alert tcp $HOME_NET any -> [185.227.83.53] 2557 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205347; rev:1;) alert tcp $HOME_NET any -> [94.112.52.197] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205348; rev:1;) alert tcp $HOME_NET any -> [185.209.85.180] 2050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205349; rev:1;) alert tcp $HOME_NET any -> [185.243.131.171] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205350; rev:1;) alert tcp $HOME_NET any -> [80.87.195.247] 443 (msg:"SSLBL: Traffic to malicious host (likely Trickbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205351; rev:1;) alert tcp $HOME_NET any -> [46.243.179.212] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205352; rev:1;) alert tcp $HOME_NET any -> [185.174.172.226] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205353; rev:1;) alert tcp $HOME_NET any -> [62.109.18.210] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205354; rev:1;) alert tcp $HOME_NET any -> [208.75.117.70] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205355; rev:1;) alert tcp $HOME_NET any -> [185.209.85.66] 1985 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205356; rev:1;) alert tcp $HOME_NET any -> [185.209.85.71] 7171 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205357; rev:1;) alert tcp $HOME_NET any -> [185.228.233.169] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205358; rev:1;) alert tcp $HOME_NET any -> [185.208.211.156] 2888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205359; rev:1;) alert tcp $HOME_NET any -> [181.215.247.24] 6789 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205360; rev:1;) alert tcp $HOME_NET any -> [92.53.66.161] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205361; rev:1;) alert tcp $HOME_NET any -> [209.121.142.202] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205362; rev:1;) alert tcp $HOME_NET any -> [203.86.222.142] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205363; rev:1;) alert tcp $HOME_NET any -> [82.202.236.81] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205364; rev:1;) alert tcp $HOME_NET any -> [185.249.255.77] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205365; rev:1;) alert tcp $HOME_NET any -> [185.208.211.48] 2888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205366; rev:1;) alert tcp $HOME_NET any -> [185.209.85.181] 5541 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205367; rev:1;) alert tcp $HOME_NET any -> [185.208.211.102] 3661 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205368; rev:1;) alert tcp $HOME_NET any -> [195.54.162.77] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205369; rev:1;) alert tcp $HOME_NET any -> [185.159.129.149] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205370; rev:1;) alert tcp $HOME_NET any -> [107.144.49.162] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205371; rev:1;) alert tcp $HOME_NET any -> [109.234.37.89] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205372; rev:1;) alert tcp $HOME_NET any -> [185.148.241.35] 8181 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205373; rev:1;) alert tcp $HOME_NET any -> [194.87.238.137] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205374; rev:1;) alert tcp $HOME_NET any -> [185.209.85.69] 2019 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205375; rev:1;) alert tcp $HOME_NET any -> [46.148.26.11] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205376; rev:1;) alert tcp $HOME_NET any -> [194.68.59.70] 3288 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205377; rev:1;) alert tcp $HOME_NET any -> [5.102.177.205] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205378; rev:1;) alert tcp $HOME_NET any -> [85.217.170.201] 4535 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205379; rev:1;) alert tcp $HOME_NET any -> [85.143.214.226] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205380; rev:1;) alert tcp $HOME_NET any -> [185.209.85.186] 3821 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205381; rev:1;) alert tcp $HOME_NET any -> [185.209.85.72] 8970 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205382; rev:1;) alert tcp $HOME_NET any -> [37.230.112.67] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205383; rev:1;) alert tcp $HOME_NET any -> [185.208.211.64] 7366 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205384; rev:1;) alert tcp $HOME_NET any -> [185.159.128.236] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205385; rev:1;) alert tcp $HOME_NET any -> [80.87.195.120] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205386; rev:1;) alert tcp $HOME_NET any -> [162.244.32.217] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205387; rev:1;) alert tcp $HOME_NET any -> [68.227.31.46] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205388; rev:1;) alert tcp $HOME_NET any -> [81.177.255.76] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205389; rev:1;) alert tcp $HOME_NET any -> [146.255.79.161] 8475 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205390; rev:1;) alert tcp $HOME_NET any -> [91.192.100.33] 3917 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205391; rev:1;) alert tcp $HOME_NET any -> [185.174.175.14] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205392; rev:1;) alert tcp $HOME_NET any -> [92.53.67.190] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205393; rev:1;) alert tcp $HOME_NET any -> [185.4.29.143] 7962 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205394; rev:1;) alert tcp $HOME_NET any -> [185.68.93.12] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205395; rev:1;) alert tcp $HOME_NET any -> [212.92.98.179] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205396; rev:1;) alert tcp $HOME_NET any -> [185.209.85.71] 4181 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205397; rev:1;) alert tcp $HOME_NET any -> [188.209.52.62] 49575 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205398; rev:1;) alert tcp $HOME_NET any -> [95.161.180.42] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205399; rev:1;) alert tcp $HOME_NET any -> [203.86.222.142] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205400; rev:1;) alert tcp $HOME_NET any -> [46.21.249.211] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205401; rev:1;) alert tcp $HOME_NET any -> [185.236.130.126] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205402; rev:1;) alert tcp $HOME_NET any -> [191.6.18.166] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205403; rev:1;) alert tcp $HOME_NET any -> [193.233.62.145] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205404; rev:1;) alert tcp $HOME_NET any -> [172.86.120.111] 443 (msg:"SSLBL: Traffic to malicious host (likely Smoke Loader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205405; rev:1;) alert tcp $HOME_NET any -> [193.0.179.140] 80 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205406; rev:1;) alert tcp $HOME_NET any -> [89.37.226.157] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205407; rev:1;) alert tcp $HOME_NET any -> [144.48.51.8] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205408; rev:1;) alert tcp $HOME_NET any -> [176.32.33.9] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205409; rev:1;) alert tcp $HOME_NET any -> [194.87.111.48] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205410; rev:1;) alert tcp $HOME_NET any -> [86.105.1.151] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205411; rev:1;) alert tcp $HOME_NET any -> [82.146.62.102] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205412; rev:1;) alert tcp $HOME_NET any -> [92.53.91.229] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205413; rev:1;) alert tcp $HOME_NET any -> [195.133.48.9] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205414; rev:1;) alert tcp $HOME_NET any -> [109.95.114.28] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205415; rev:1;) alert tcp $HOME_NET any -> [195.123.237.208] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205416; rev:1;) alert tcp $HOME_NET any -> [185.228.233.185] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205417; rev:1;) alert tcp $HOME_NET any -> [185.228.233.133] 447 (msg:"SSLBL: Traffic to malicious host (likely Trickbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205418; rev:1;) alert tcp $HOME_NET any -> [185.249.255.172] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205419; rev:1;) alert tcp $HOME_NET any -> [78.155.199.161] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205420; rev:1;) alert tcp $HOME_NET any -> [179.107.89.145] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205421; rev:1;) alert tcp $HOME_NET any -> [185.42.192.194] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205422; rev:1;) alert tcp $HOME_NET any -> [185.159.128.224] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205423; rev:1;) alert tcp $HOME_NET any -> [173.220.6.194] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205424; rev:1;) alert tcp $HOME_NET any -> [95.213.252.243] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205425; rev:1;) alert tcp $HOME_NET any -> [68.96.73.154] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205426; rev:1;) alert tcp $HOME_NET any -> [185.223.95.66] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205427; rev:1;) alert tcp $HOME_NET any -> [46.20.207.204] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205428; rev:1;) alert tcp $HOME_NET any -> [109.234.38.128] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205429; rev:1;) alert tcp $HOME_NET any -> [195.136.226.11] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205430; rev:1;) alert tcp $HOME_NET any -> [94.103.81.11] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205431; rev:1;) alert tcp $HOME_NET any -> [185.223.95.108] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205432; rev:1;) alert tcp $HOME_NET any -> [95.213.204.217] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205433; rev:1;) alert tcp $HOME_NET any -> [118.91.178.106] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205434; rev:1;) alert tcp $HOME_NET any -> [185.228.232.218] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205435; rev:1;) alert tcp $HOME_NET any -> [91.206.4.216] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205436; rev:1;) alert tcp $HOME_NET any -> [137.74.159.36] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205437; rev:1;) alert tcp $HOME_NET any -> [185.228.233.23] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205438; rev:1;) alert tcp $HOME_NET any -> [86.105.1.15] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205439; rev:1;) alert tcp $HOME_NET any -> [70.91.134.61] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205440; rev:1;) alert tcp $HOME_NET any -> [130.180.89.70] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205441; rev:1;) alert tcp $HOME_NET any -> [94.103.80.27] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205442; rev:1;) alert tcp $HOME_NET any -> [194.87.103.45] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205443; rev:1;) alert tcp $HOME_NET any -> [176.122.20.28] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205444; rev:1;) alert tcp $HOME_NET any -> [91.243.80.109] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205445; rev:1;) alert tcp $HOME_NET any -> [109.234.39.242] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205446; rev:1;) alert tcp $HOME_NET any -> [85.143.173.177] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205447; rev:1;) alert tcp $HOME_NET any -> [185.159.129.10] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205448; rev:1;) alert tcp $HOME_NET any -> [109.234.37.114] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205449; rev:1;) alert tcp $HOME_NET any -> [90.63.223.63] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205450; rev:1;) alert tcp $HOME_NET any -> [185.26.174.189] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205451; rev:1;) alert tcp $HOME_NET any -> [37.230.114.136] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205452; rev:1;) alert tcp $HOME_NET any -> [94.103.82.78] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205453; rev:1;) alert tcp $HOME_NET any -> [176.121.215.149] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205454; rev:1;) alert tcp $HOME_NET any -> [185.243.131.63] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205455; rev:1;) alert tcp $HOME_NET any -> [85.143.214.12] 447 (msg:"SSLBL: Traffic to malicious host (likely Trickbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205456; rev:1;) alert tcp $HOME_NET any -> [93.181.186.127] 451 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205457; rev:1;) alert tcp $HOME_NET any -> [95.213.252.10] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205458; rev:1;) alert tcp $HOME_NET any -> [65.123.48.221] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205459; rev:1;) alert tcp $HOME_NET any -> [92.53.78.213] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205460; rev:1;) alert tcp $HOME_NET any -> [69.122.117.95] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205461; rev:1;) alert tcp $HOME_NET any -> [146.255.79.186] 5030 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205462; rev:1;) alert tcp $HOME_NET any -> [146.185.254.16] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205463; rev:1;) alert tcp $HOME_NET any -> [85.143.222.45] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205464; rev:1;) alert tcp $HOME_NET any -> [185.249.254.45] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205465; rev:1;) alert tcp $HOME_NET any -> [189.84.125.37] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205466; rev:1;) alert tcp $HOME_NET any -> [94.103.82.65] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205467; rev:1;) alert tcp $HOME_NET any -> [89.37.56.24] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205468; rev:1;) alert tcp $HOME_NET any -> [185.159.128.158] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205469; rev:1;) alert tcp $HOME_NET any -> [207.140.15.87] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205470; rev:1;) alert tcp $HOME_NET any -> [89.223.24.221] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205471; rev:1;) alert tcp $HOME_NET any -> [86.23.59.198] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205472; rev:1;) alert tcp $HOME_NET any -> [92.53.91.229] 447 (msg:"SSLBL: Traffic to malicious host (likely Trickbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205473; rev:1;) alert tcp $HOME_NET any -> [195.133.196.2] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205474; rev:1;) alert tcp $HOME_NET any -> [185.26.174.189] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205475; rev:1;) alert tcp $HOME_NET any -> [193.233.62.127] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205476; rev:1;) alert tcp $HOME_NET any -> [195.123.216.102] 447 (msg:"SSLBL: Traffic to malicious host (likely Trickbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205477; rev:1;) alert tcp $HOME_NET any -> [85.143.221.60] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205478; rev:1;) alert tcp $HOME_NET any -> [185.158.155.56] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205479; rev:1;) alert tcp $HOME_NET any -> [195.133.147.9] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205480; rev:1;) alert tcp $HOME_NET any -> [31.41.81.47] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205481; rev:1;) alert tcp $HOME_NET any -> [78.155.206.228] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205482; rev:1;) alert tcp $HOME_NET any -> [192.225.226.15] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205483; rev:1;) alert tcp $HOME_NET any -> [109.234.38.199] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205484; rev:1;) alert tcp $HOME_NET any -> [94.230.20.47] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205485; rev:1;) alert tcp $HOME_NET any -> [95.213.235.54] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205486; rev:1;) alert tcp $HOME_NET any -> [109.234.35.230] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205487; rev:1;) alert tcp $HOME_NET any -> [31.134.52.42] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205488; rev:1;) alert tcp $HOME_NET any -> [185.159.128.75] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205489; rev:1;) alert tcp $HOME_NET any -> [185.174.173.116] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205490; rev:1;) alert tcp $HOME_NET any -> [93.181.186.127] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205491; rev:1;) alert tcp $HOME_NET any -> [185.56.90.77] 19000 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205492; rev:1;) alert tcp $HOME_NET any -> [185.228.232.14] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205493; rev:1;) alert tcp $HOME_NET any -> [95.181.179.96] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205494; rev:1;) alert tcp $HOME_NET any -> [192.95.35.78] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205495; rev:1;) alert tcp $HOME_NET any -> [178.32.52.15] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205496; rev:1;) alert tcp $HOME_NET any -> [82.146.59.117] 443 (msg:"SSLBL: Traffic to malicious host (likely Trickbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205497; rev:1;) alert tcp $HOME_NET any -> [31.131.27.106] 447 (msg:"SSLBL: Traffic to malicious host (likely Trickbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205498; rev:1;) alert tcp $HOME_NET any -> [85.222.109.54] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205499; rev:1;) alert tcp $HOME_NET any -> [195.123.213.188] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205500; rev:1;) alert tcp $HOME_NET any -> [93.95.97.136] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205501; rev:1;) alert tcp $HOME_NET any -> [188.227.72.195] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205502; rev:1;) alert tcp $HOME_NET any -> [92.53.78.236] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205503; rev:1;) alert tcp $HOME_NET any -> [185.228.232.215] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205504; rev:1;) alert tcp $HOME_NET any -> [109.95.113.130] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205505; rev:1;) alert tcp $HOME_NET any -> [199.247.31.200] 443 (msg:"SSLBL: Traffic to malicious host (likely Corebot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205506; rev:1;) alert tcp $HOME_NET any -> [186.2.168.150] 443 (msg:"SSLBL: Traffic to malicious host (likely QuantLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205507; rev:1;) alert tcp $HOME_NET any -> [82.214.141.134] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205508; rev:1;) alert tcp $HOME_NET any -> [178.209.40.104] 443 (msg:"SSLBL: Traffic to malicious host (likely Corebot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205509; rev:1;) alert tcp $HOME_NET any -> [195.123.233.83] 443 (msg:"SSLBL: Traffic to malicious host (likely Corebot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205510; rev:1;) alert tcp $HOME_NET any -> [86.105.18.236] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205511; rev:1;) alert tcp $HOME_NET any -> [31.131.26.13] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205512; rev:1;) alert tcp $HOME_NET any -> [91.243.81.13] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205513; rev:1;) alert tcp $HOME_NET any -> [5.188.231.226] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205514; rev:1;) alert tcp $HOME_NET any -> [86.105.1.116] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205515; rev:1;) alert tcp $HOME_NET any -> [85.143.175.248] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205516; rev:1;) alert tcp $HOME_NET any -> [81.227.0.215] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205517; rev:1;) alert tcp $HOME_NET any -> [109.173.183.245] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205518; rev:1;) alert tcp $HOME_NET any -> [23.105.131.139] 2023 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205519; rev:1;) alert tcp $HOME_NET any -> [109.234.35.3] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205520; rev:1;) alert tcp $HOME_NET any -> [185.55.64.47] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205521; rev:1;) alert tcp $HOME_NET any -> [82.202.226.62] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205522; rev:1;) alert tcp $HOME_NET any -> [66.70.218.34] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205523; rev:1;) alert tcp $HOME_NET any -> [5.8.88.166] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205524; rev:1;) alert tcp $HOME_NET any -> [192.251.231.14] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205525; rev:1;) alert tcp $HOME_NET any -> [46.28.204.81] 443 (msg:"SSLBL: Traffic to malicious host (likely QuantLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205526; rev:1;) alert tcp $HOME_NET any -> [31.134.60.181] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205527; rev:1;) alert tcp $HOME_NET any -> [31.172.177.90] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205528; rev:1;) alert tcp $HOME_NET any -> [185.180.196.109] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205529; rev:1;) alert tcp $HOME_NET any -> [212.14.51.56] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205530; rev:1;) alert tcp $HOME_NET any -> [185.209.85.75] 7768 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205531; rev:1;) alert tcp $HOME_NET any -> [185.180.196.99] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205532; rev:1;) alert tcp $HOME_NET any -> [185.180.197.58] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205533; rev:1;) alert tcp $HOME_NET any -> [195.133.146.156] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205534; rev:1;) alert tcp $HOME_NET any -> [217.63.197.185] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205535; rev:1;) alert tcp $HOME_NET any -> [5.255.94.80] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205536; rev:1;) alert tcp $HOME_NET any -> [91.243.80.131] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205537; rev:1;) alert tcp $HOME_NET any -> [94.177.12.145] 443 (msg:"SSLBL: Traffic to malicious host (likely Corebot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205538; rev:1;) alert tcp $HOME_NET any -> [138.128.5.96] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205539; rev:1;) alert tcp $HOME_NET any -> [178.170.244.36] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205540; rev:1;) alert tcp $HOME_NET any -> [46.21.249.49] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205541; rev:1;) alert tcp $HOME_NET any -> [46.249.62.206] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205542; rev:1;) alert tcp $HOME_NET any -> [185.246.65.222] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205543; rev:1;) alert tcp $HOME_NET any -> [46.249.62.219] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205544; rev:1;) alert tcp $HOME_NET any -> [5.63.158.236] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205545; rev:1;) alert tcp $HOME_NET any -> [134.0.115.63] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205546; rev:1;) alert tcp $HOME_NET any -> [45.77.61.121] 443 (msg:"SSLBL: Traffic to malicious host (likely Corebot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205547; rev:1;) alert tcp $HOME_NET any -> [89.248.171.38] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205548; rev:1;) alert tcp $HOME_NET any -> [185.209.85.73] 2141 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205549; rev:1;) alert tcp $HOME_NET any -> [192.71.247.158] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205550; rev:1;) alert tcp $HOME_NET any -> [199.247.7.16] 443 (msg:"SSLBL: Traffic to malicious host (likely Corebot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205551; rev:1;) alert tcp $HOME_NET any -> [109.234.35.121] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205552; rev:1;) alert tcp $HOME_NET any -> [37.220.31.11] 443 (msg:"SSLBL: Traffic to malicious host (likely Corebot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205553; rev:1;) alert tcp $HOME_NET any -> [91.221.36.71] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205554; rev:1;) alert tcp $HOME_NET any -> [185.228.233.229] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205555; rev:1;) alert tcp $HOME_NET any -> [46.148.26.106] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205556; rev:1;) alert tcp $HOME_NET any -> [23.105.131.148] 4001 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205557; rev:1;) alert tcp $HOME_NET any -> [91.243.80.21] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205558; rev:1;) alert tcp $HOME_NET any -> [185.227.83.36] 7575 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205559; rev:1;) alert tcp $HOME_NET any -> [185.212.149.48] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205560; rev:1;) alert tcp $HOME_NET any -> [86.105.18.64] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205561; rev:1;) alert tcp $HOME_NET any -> [185.68.93.41] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205562; rev:1;) alert tcp $HOME_NET any -> [95.46.8.65] 443 (msg:"SSLBL: Traffic to malicious host (likely Cobalt C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205563; rev:1;) alert tcp $HOME_NET any -> [181.175.124.212] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205564; rev:1;) alert tcp $HOME_NET any -> [81.176.239.167] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205565; rev:1;) alert tcp $HOME_NET any -> [89.35.228.199] 2067 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205566; rev:1;) alert tcp $HOME_NET any -> [37.187.54.76] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205567; rev:1;) alert tcp $HOME_NET any -> [37.187.54.76] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205568; rev:1;) alert tcp $HOME_NET any -> [81.169.128.232] 4743 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205569; rev:1;) alert tcp $HOME_NET any -> [194.87.236.45] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205570; rev:1;) alert tcp $HOME_NET any -> [46.21.249.52] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205571; rev:1;) alert tcp $HOME_NET any -> [91.192.100.5] 8877 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205572; rev:1;) alert tcp $HOME_NET any -> [194.87.235.92] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205573; rev:1;) alert tcp $HOME_NET any -> [210.187.214.162] 9349 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205574; rev:1;) alert tcp $HOME_NET any -> [31.171.155.33] 1215 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205575; rev:1;) alert tcp $HOME_NET any -> [213.183.58.36] 6774 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205576; rev:1;) alert tcp $HOME_NET any -> [212.92.98.106] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205577; rev:1;) alert tcp $HOME_NET any -> [176.223.111.157] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205578; rev:1;) alert tcp $HOME_NET any -> [213.152.162.84] 56293 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205579; rev:1;) alert tcp $HOME_NET any -> [185.48.239.33] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205580; rev:1;) alert tcp $HOME_NET any -> [213.183.58.49] 7741 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205581; rev:1;) alert tcp $HOME_NET any -> [213.183.58.6] 2378 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205582; rev:1;) alert tcp $HOME_NET any -> [5.133.179.117] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205583; rev:1;) alert tcp $HOME_NET any -> [213.183.58.33] 1996 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205584; rev:1;) alert tcp $HOME_NET any -> [185.208.211.33] 2060 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205585; rev:1;) alert tcp $HOME_NET any -> [78.130.176.198] 7798 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205586; rev:1;) alert tcp $HOME_NET any -> [45.113.70.163] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205587; rev:1;) alert tcp $HOME_NET any -> [185.145.44.174] 1313 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205588; rev:1;) alert tcp $HOME_NET any -> [5.187.49.225] 8088 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205589; rev:1;) alert tcp $HOME_NET any -> [195.133.144.185] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205590; rev:1;) alert tcp $HOME_NET any -> [194.87.234.173] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205591; rev:1;) alert tcp $HOME_NET any -> [194.87.237.93] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205592; rev:1;) alert tcp $HOME_NET any -> [160.202.163.240] 8877 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205593; rev:1;) alert tcp $HOME_NET any -> [95.140.125.122] 7499 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205594; rev:1;) alert tcp $HOME_NET any -> [212.92.98.7] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205595; rev:1;) alert tcp $HOME_NET any -> [206.255.220.53] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205596; rev:1;) alert tcp $HOME_NET any -> [212.14.51.56] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205597; rev:1;) alert tcp $HOME_NET any -> [185.140.53.81] 1810 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205598; rev:1;) alert tcp $HOME_NET any -> [91.192.100.25] 7799 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205599; rev:1;) alert tcp $HOME_NET any -> [185.175.158.202] 443 (msg:"SSLBL: Traffic to malicious host (likely Cobalt C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205600; rev:1;) alert tcp $HOME_NET any -> [185.211.247.31] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205601; rev:1;) alert tcp $HOME_NET any -> [174.127.99.218] 8088 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205602; rev:1;) alert tcp $HOME_NET any -> [185.212.149.47] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205603; rev:1;) alert tcp $HOME_NET any -> [92.114.92.11] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205604; rev:1;) alert tcp $HOME_NET any -> [89.45.67.21] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205605; rev:1;) alert tcp $HOME_NET any -> [173.212.248.207] 5051 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205606; rev:1;) alert tcp $HOME_NET any -> [178.33.108.70] 2050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205607; rev:1;) alert tcp $HOME_NET any -> [194.87.239.78] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205608; rev:1;) alert tcp $HOME_NET any -> [179.43.147.247] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205609; rev:1;) alert tcp $HOME_NET any -> [185.24.232.163] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205610; rev:1;) alert tcp $HOME_NET any -> [78.155.219.55] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205611; rev:1;) alert tcp $HOME_NET any -> [212.14.51.43] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205612; rev:1;) alert tcp $HOME_NET any -> [185.208.211.171] 7119 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205613; rev:1;) alert tcp $HOME_NET any -> [185.189.112.157] 3040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205614; rev:1;) alert tcp $HOME_NET any -> [160.202.163.200] 1991 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205615; rev:1;) alert tcp $HOME_NET any -> [79.172.242.94] 6692 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205616; rev:1;) alert tcp $HOME_NET any -> [173.254.223.83] 5434 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205617; rev:1;) alert tcp $HOME_NET any -> [185.209.85.177] 3076 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205618; rev:1;) alert tcp $HOME_NET any -> [178.124.140.154] 1994 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205619; rev:1;) alert tcp $HOME_NET any -> [69.64.251.41] 2565 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205620; rev:1;) alert tcp $HOME_NET any -> [185.171.25.8] 2103 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205621; rev:1;) alert tcp $HOME_NET any -> [91.192.100.44] 7075 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205622; rev:1;) alert tcp $HOME_NET any -> [45.32.24.40] 3033 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205623; rev:1;) alert tcp $HOME_NET any -> [185.209.85.69] 3940 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205624; rev:1;) alert tcp $HOME_NET any -> [95.141.43.197] 2212 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205625; rev:1;) alert tcp $HOME_NET any -> [23.105.131.186] 4455 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205626; rev:1;) alert tcp $HOME_NET any -> [103.68.223.149] 1991 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205627; rev:1;) alert tcp $HOME_NET any -> [185.145.45.33] 32266 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205628; rev:1;) alert tcp $HOME_NET any -> [95.141.43.194] 3333 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205629; rev:1;) alert tcp $HOME_NET any -> [79.172.242.33] 7037 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205630; rev:1;) alert tcp $HOME_NET any -> [191.101.22.86] 8181 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205631; rev:1;) alert tcp $HOME_NET any -> [185.227.83.38] 2019 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205632; rev:1;) alert tcp $HOME_NET any -> [84.38.135.148] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205633; rev:1;) alert tcp $HOME_NET any -> [178.175.138.146] 1987 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205634; rev:1;) alert tcp $HOME_NET any -> [185.227.83.35] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205635; rev:1;) alert tcp $HOME_NET any -> [185.171.25.28] 7119 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205636; rev:1;) alert tcp $HOME_NET any -> [185.209.85.70] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205637; rev:1;) alert tcp $HOME_NET any -> [84.200.84.224] 443 (msg:"SSLBL: Traffic to malicious host (likely Corebot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205638; rev:1;) alert tcp $HOME_NET any -> [185.227.83.54] 4781 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205639; rev:1;) alert tcp $HOME_NET any -> [178.175.138.209] 1987 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205640; rev:1;) alert tcp $HOME_NET any -> [191.101.22.5] 4040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205641; rev:1;) alert tcp $HOME_NET any -> [213.183.58.37] 1818 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205642; rev:1;) alert tcp $HOME_NET any -> [5.196.121.163] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205643; rev:1;) alert tcp $HOME_NET any -> [185.227.83.43] 2222 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205644; rev:1;) alert tcp $HOME_NET any -> [95.213.204.124] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205645; rev:1;) alert tcp $HOME_NET any -> [69.124.38.159] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205646; rev:1;) alert tcp $HOME_NET any -> [185.45.192.185] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205647; rev:1;) alert tcp $HOME_NET any -> [154.16.93.178] 5678 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205648; rev:1;) alert tcp $HOME_NET any -> [91.192.100.62] 6789 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205649; rev:1;) alert tcp $HOME_NET any -> [185.171.25.11] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205650; rev:1;) alert tcp $HOME_NET any -> [185.145.45.9] 2526 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205651; rev:1;) alert tcp $HOME_NET any -> [185.163.45.48] 1992 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205652; rev:1;) alert tcp $HOME_NET any -> [137.74.157.92] 2020 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205653; rev:1;) alert tcp $HOME_NET any -> [185.171.25.8] 1313 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205654; rev:1;) alert tcp $HOME_NET any -> [185.101.34.90] 1789 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205655; rev:1;) alert tcp $HOME_NET any -> [185.29.8.119] 2020 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205656; rev:1;) alert tcp $HOME_NET any -> [185.171.25.28] 2222 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205657; rev:1;) alert tcp $HOME_NET any -> [195.133.1.211] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205658; rev:1;) alert tcp $HOME_NET any -> [185.24.232.164] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205659; rev:1;) alert tcp $HOME_NET any -> [194.68.59.38] 10101 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205660; rev:1;) alert tcp $HOME_NET any -> [178.175.138.231] 8181 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205661; rev:1;) alert tcp $HOME_NET any -> [62.102.148.156] 64271 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205662; rev:1;) alert tcp $HOME_NET any -> [89.35.228.196] 1989 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205663; rev:1;) alert tcp $HOME_NET any -> [185.227.83.52] 7110 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205664; rev:1;) alert tcp $HOME_NET any -> [67.215.9.226] 5680 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205665; rev:1;) alert tcp $HOME_NET any -> [194.68.59.34] 3366 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205666; rev:1;) alert tcp $HOME_NET any -> [79.172.242.97] 3917 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205667; rev:1;) alert tcp $HOME_NET any -> [91.192.100.43] 1991 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205668; rev:1;) alert tcp $HOME_NET any -> [109.234.36.11] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205669; rev:1;) alert tcp $HOME_NET any -> [78.130.176.186] 8181 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205670; rev:1;) alert tcp $HOME_NET any -> [92.53.77.125] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205671; rev:1;) alert tcp $HOME_NET any -> [195.133.144.162] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205672; rev:1;) alert tcp $HOME_NET any -> [78.130.176.178] 9000 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205673; rev:1;) alert tcp $HOME_NET any -> [176.10.100.155] 6789 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205674; rev:1;) alert tcp $HOME_NET any -> [185.227.83.52] 70 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205675; rev:1;) alert tcp $HOME_NET any -> [219.92.131.188] 3255 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205676; rev:1;) alert tcp $HOME_NET any -> [91.192.100.2] 4914 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205677; rev:1;) alert tcp $HOME_NET any -> [191.101.22.29] 53826 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205678; rev:1;) alert tcp $HOME_NET any -> [213.183.58.53] 6643 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205679; rev:1;) alert tcp $HOME_NET any -> [23.105.131.191] 8088 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205680; rev:1;) alert tcp $HOME_NET any -> [191.101.27.3] 4933 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205681; rev:1;) alert tcp $HOME_NET any -> [144.217.20.62] 2525 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205682; rev:1;) alert tcp $HOME_NET any -> [91.192.100.26] 8102 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205683; rev:1;) alert tcp $HOME_NET any -> [60.50.229.87] 9349 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205684; rev:1;) alert tcp $HOME_NET any -> [146.255.79.167] 4343 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205685; rev:1;) alert tcp $HOME_NET any -> [174.127.99.175] 7039 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205686; rev:1;) alert tcp $HOME_NET any -> [176.10.100.157] 3020 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205687; rev:1;) alert tcp $HOME_NET any -> [185.227.83.36] 1956 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205688; rev:1;) alert tcp $HOME_NET any -> [185.145.45.81] 2888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205689; rev:1;) alert tcp $HOME_NET any -> [216.38.7.248] 1212 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205690; rev:1;) alert tcp $HOME_NET any -> [91.192.100.19] 4101 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205691; rev:1;) alert tcp $HOME_NET any -> [92.53.78.158] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205692; rev:1;) alert tcp $HOME_NET any -> [91.192.100.20] 8088 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205693; rev:1;) alert tcp $HOME_NET any -> [174.127.99.139] 2888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205694; rev:1;) alert tcp $HOME_NET any -> [185.62.188.94] 49575 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205695; rev:1;) alert tcp $HOME_NET any -> [185.236.130.122] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205696; rev:1;) alert tcp $HOME_NET any -> [91.192.100.27] 6042 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205697; rev:1;) alert tcp $HOME_NET any -> [185.236.130.28] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205698; rev:1;) alert tcp $HOME_NET any -> [213.208.129.203] 100 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205699; rev:1;) alert tcp $HOME_NET any -> [185.171.25.10] 5534 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205700; rev:1;) alert tcp $HOME_NET any -> [23.105.131.159] 1002 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205701; rev:1;) alert tcp $HOME_NET any -> [213.152.162.165] 34071 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205702; rev:1;) alert tcp $HOME_NET any -> [94.242.57.57] 443 (msg:"SSLBL: Traffic to malicious host (likely Cobalt C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205703; rev:1;) alert tcp $HOME_NET any -> [213.208.129.199] 3422 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205704; rev:1;) alert tcp $HOME_NET any -> [205.178.144.133] 4143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205705; rev:1;) alert tcp $HOME_NET any -> [85.214.62.153] 4143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205706; rev:1;) alert tcp $HOME_NET any -> [95.140.125.115] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205707; rev:1;) alert tcp $HOME_NET any -> [213.183.58.36] 6466 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205708; rev:1;) alert tcp $HOME_NET any -> [23.105.131.132] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205709; rev:1;) alert tcp $HOME_NET any -> [95.140.125.72] 2555 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205710; rev:1;) alert tcp $HOME_NET any -> [185.236.130.123] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205711; rev:1;) alert tcp $HOME_NET any -> [185.227.83.36] 3939 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205712; rev:1;) alert tcp $HOME_NET any -> [77.48.28.226] 7383 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205713; rev:1;) alert tcp $HOME_NET any -> [185.171.25.6] 1985 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205714; rev:1;) alert tcp $HOME_NET any -> [181.215.247.126] 4201 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205715; rev:1;) alert tcp $HOME_NET any -> [185.186.244.86] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205716; rev:1;) alert tcp $HOME_NET any -> [154.16.93.177] 3465 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205717; rev:1;) alert tcp $HOME_NET any -> [191.101.22.139] 18993 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205718; rev:1;) alert tcp $HOME_NET any -> [178.175.138.200] 1722 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205719; rev:1;) alert tcp $HOME_NET any -> [78.155.218.18] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205720; rev:1;) alert tcp $HOME_NET any -> [149.255.36.229] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205721; rev:1;) alert tcp $HOME_NET any -> [185.227.83.45] 6890 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205722; rev:1;) alert tcp $HOME_NET any -> [45.77.82.205] 2002 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205723; rev:1;) alert tcp $HOME_NET any -> [95.213.194.9] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205724; rev:1;) alert tcp $HOME_NET any -> [94.103.82.18] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205725; rev:1;) alert tcp $HOME_NET any -> [95.140.125.34] 2888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205726; rev:1;) alert tcp $HOME_NET any -> [185.56.90.79] 2000 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205727; rev:1;) alert tcp $HOME_NET any -> [216.38.7.252] 8585 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205728; rev:1;) alert tcp $HOME_NET any -> [23.105.131.192] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205729; rev:1;) alert tcp $HOME_NET any -> [191.101.22.24] 4914 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205730; rev:1;) alert tcp $HOME_NET any -> [185.84.181.99] 2258 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205731; rev:1;) alert tcp $HOME_NET any -> [91.192.100.60] 1985 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205732; rev:1;) alert tcp $HOME_NET any -> [194.87.95.2] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205733; rev:1;) alert tcp $HOME_NET any -> [174.127.99.165] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205734; rev:1;) alert tcp $HOME_NET any -> [37.230.115.201] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205735; rev:1;) alert tcp $HOME_NET any -> [62.109.27.157] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205736; rev:1;) alert tcp $HOME_NET any -> [94.250.252.22] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205737; rev:1;) alert tcp $HOME_NET any -> [185.228.232.87] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205738; rev:1;) alert tcp $HOME_NET any -> [77.244.215.158] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205739; rev:1;) alert tcp $HOME_NET any -> [174.127.99.214] 1313 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205740; rev:1;) alert tcp $HOME_NET any -> [78.130.176.162] 5543 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205741; rev:1;) alert tcp $HOME_NET any -> [137.74.157.90] 2020 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205742; rev:1;) alert tcp $HOME_NET any -> [194.68.59.33] 7321 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205743; rev:1;) alert tcp $HOME_NET any -> [160.202.163.242] 2000 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205744; rev:1;) alert tcp $HOME_NET any -> [46.21.248.108] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205745; rev:1;) alert tcp $HOME_NET any -> [185.171.25.10] 5531 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205746; rev:1;) alert tcp $HOME_NET any -> [107.155.72.119] 1602 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205747; rev:1;) alert tcp $HOME_NET any -> [185.227.83.49] 6060 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205748; rev:1;) alert tcp $HOME_NET any -> [185.145.45.176] 2888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205749; rev:1;) alert tcp $HOME_NET any -> [212.7.208.71] 1979 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205750; rev:1;) alert tcp $HOME_NET any -> [213.183.58.31] 4040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205751; rev:1;) alert tcp $HOME_NET any -> [146.255.79.174] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205752; rev:1;) alert tcp $HOME_NET any -> [109.234.34.110] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205753; rev:1;) alert tcp $HOME_NET any -> [191.101.22.27] 11339 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205754; rev:1;) alert tcp $HOME_NET any -> [185.158.114.129] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205755; rev:1;) alert tcp $HOME_NET any -> [172.104.10.121] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205756; rev:1;) alert tcp $HOME_NET any -> [95.140.125.123] 2018 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205757; rev:1;) alert tcp $HOME_NET any -> [194.87.93.225] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205758; rev:1;) alert tcp $HOME_NET any -> [46.19.137.137] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205759; rev:1;) alert tcp $HOME_NET any -> [185.140.53.212] 2000 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205760; rev:1;) alert tcp $HOME_NET any -> [194.87.92.147] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205761; rev:1;) alert tcp $HOME_NET any -> [109.234.36.181] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205762; rev:1;) alert tcp $HOME_NET any -> [191.96.15.135] 2675 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205763; rev:1;) alert tcp $HOME_NET any -> [94.103.80.134] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205764; rev:1;) alert tcp $HOME_NET any -> [95.213.237.49] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205765; rev:1;) alert tcp $HOME_NET any -> [212.7.218.56] 9480 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205766; rev:1;) alert tcp $HOME_NET any -> [141.255.167.124] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205767; rev:1;) alert tcp $HOME_NET any -> [62.109.25.11] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205768; rev:1;) alert tcp $HOME_NET any -> [37.230.114.93] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205769; rev:1;) alert tcp $HOME_NET any -> [78.155.218.189] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205770; rev:1;) alert tcp $HOME_NET any -> [92.63.106.43] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205771; rev:1;) alert tcp $HOME_NET any -> [78.24.218.206] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205772; rev:1;) alert tcp $HOME_NET any -> [82.146.57.127] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205773; rev:1;) alert tcp $HOME_NET any -> [95.154.199.237] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205774; rev:1;) alert tcp $HOME_NET any -> [185.227.83.34] 2012 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205775; rev:1;) alert tcp $HOME_NET any -> [194.68.59.34] 9125 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205776; rev:1;) alert tcp $HOME_NET any -> [213.183.58.26] 5011 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205777; rev:1;) alert tcp $HOME_NET any -> [62.109.26.251] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205778; rev:1;) alert tcp $HOME_NET any -> [109.234.37.132] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205779; rev:1;) alert tcp $HOME_NET any -> [194.87.145.179] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205780; rev:1;) alert tcp $HOME_NET any -> [95.213.195.169] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205781; rev:1;) alert tcp $HOME_NET any -> [184.155.19.94] 2222 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205782; rev:1;) alert tcp $HOME_NET any -> [73.76.201.210] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205783; rev:1;) alert tcp $HOME_NET any -> [131.108.170.231] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205784; rev:1;) alert tcp $HOME_NET any -> [93.113.45.10] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205785; rev:1;) alert tcp $HOME_NET any -> [37.230.115.129] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205786; rev:1;) alert tcp $HOME_NET any -> [185.234.15.7] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205787; rev:1;) alert tcp $HOME_NET any -> [5.188.231.3] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205788; rev:1;) alert tcp $HOME_NET any -> [193.124.117.229] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205789; rev:1;) alert tcp $HOME_NET any -> [5.188.231.141] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205790; rev:1;) alert tcp $HOME_NET any -> [5.188.231.7] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205791; rev:1;) alert tcp $HOME_NET any -> [178.159.36.92] 443 (msg:"SSLBL: Traffic to malicious host (likely LockPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205792; rev:1;) alert tcp $HOME_NET any -> [89.36.214.238] 443 (msg:"SSLBL: Traffic to malicious host (likely Downloader.AuotIT.ZLIB C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205793; rev:1;) alert tcp $HOME_NET any -> [203.24.188.166] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205794; rev:1;) alert tcp $HOME_NET any -> [94.177.229.24] 443 (msg:"SSLBL: Traffic to malicious host (likely Downloader.AuotIT.ZLIB C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205795; rev:1;) alert tcp $HOME_NET any -> [176.31.46.70] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205796; rev:1;) alert tcp $HOME_NET any -> [185.106.120.201] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205797; rev:1;) alert tcp $HOME_NET any -> [66.222.48.40] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205798; rev:1;) alert tcp $HOME_NET any -> [86.27.41.234] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205799; rev:1;) alert tcp $HOME_NET any -> [95.213.251.136] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205800; rev:1;) alert tcp $HOME_NET any -> [46.30.45.208] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205801; rev:1;) alert tcp $HOME_NET any -> [98.191.134.121] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205802; rev:1;) alert tcp $HOME_NET any -> [194.87.238.84] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205803; rev:1;) alert tcp $HOME_NET any -> [92.53.91.109] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205804; rev:1;) alert tcp $HOME_NET any -> [5.8.88.133] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205805; rev:1;) alert tcp $HOME_NET any -> [89.18.27.155] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205806; rev:1;) alert tcp $HOME_NET any -> [146.255.79.187] 9010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205807; rev:1;) alert tcp $HOME_NET any -> [145.239.21.254] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205808; rev:1;) alert tcp $HOME_NET any -> [185.101.34.84] 2675 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205809; rev:1;) alert tcp $HOME_NET any -> [77.48.28.201] 22777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205810; rev:1;) alert tcp $HOME_NET any -> [190.123.44.141] 1501 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205811; rev:1;) alert tcp $HOME_NET any -> [185.227.83.56] 3052 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205812; rev:1;) alert tcp $HOME_NET any -> [85.204.49.128] 6088 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205813; rev:1;) alert tcp $HOME_NET any -> [151.106.2.127] 7050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205814; rev:1;) alert tcp $HOME_NET any -> [195.133.201.94] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205815; rev:1;) alert tcp $HOME_NET any -> [78.130.176.192] 6796 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205816; rev:1;) alert tcp $HOME_NET any -> [213.183.58.3] 5097 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205817; rev:1;) alert tcp $HOME_NET any -> [45.58.49.244] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205818; rev:1;) alert tcp $HOME_NET any -> [104.236.172.37] 4143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205819; rev:1;) alert tcp $HOME_NET any -> [95.46.114.118] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205820; rev:1;) alert tcp $HOME_NET any -> [185.82.217.96] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205821; rev:1;) alert tcp $HOME_NET any -> [191.101.22.150] 2889 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205822; rev:1;) alert tcp $HOME_NET any -> [46.8.158.34] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205823; rev:1;) alert tcp $HOME_NET any -> [93.170.123.151] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205824; rev:1;) alert tcp $HOME_NET any -> [95.46.98.93] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205825; rev:1;) alert tcp $HOME_NET any -> [162.248.246.229] 4050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205826; rev:1;) alert tcp $HOME_NET any -> [107.170.231.118] 4143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205827; rev:1;) alert tcp $HOME_NET any -> [94.242.58.113] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205828; rev:1;) alert tcp $HOME_NET any -> [191.101.22.101] 1020 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205829; rev:1;) alert tcp $HOME_NET any -> [192.254.173.150] 4443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205830; rev:1;) alert tcp $HOME_NET any -> [27.102.107.180] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205831; rev:1;) alert tcp $HOME_NET any -> [185.161.210.92] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205832; rev:1;) alert tcp $HOME_NET any -> [92.53.66.162] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205833; rev:1;) alert tcp $HOME_NET any -> [94.75.240.80] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205834; rev:1;) alert tcp $HOME_NET any -> [188.120.243.242] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205835; rev:1;) alert tcp $HOME_NET any -> [94.250.253.142] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205836; rev:1;) alert tcp $HOME_NET any -> [194.87.236.228] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205837; rev:1;) alert tcp $HOME_NET any -> [82.146.48.241] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205838; rev:1;) alert tcp $HOME_NET any -> [193.124.117.189] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205839; rev:1;) alert tcp $HOME_NET any -> [176.56.237.133] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205840; rev:1;) alert tcp $HOME_NET any -> [195.2.253.127] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205841; rev:1;) alert tcp $HOME_NET any -> [200.111.97.235] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205842; rev:1;) alert tcp $HOME_NET any -> [94.250.255.50] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205843; rev:1;) alert tcp $HOME_NET any -> [191.101.22.163] 3348 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205844; rev:1;) alert tcp $HOME_NET any -> [213.183.58.56] 1997 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205845; rev:1;) alert tcp $HOME_NET any -> [185.224.133.57] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205846; rev:1;) alert tcp $HOME_NET any -> [191.101.22.2] 1990 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205847; rev:1;) alert tcp $HOME_NET any -> [185.171.25.4] 1988 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205848; rev:1;) alert tcp $HOME_NET any -> [46.8.158.149] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205849; rev:1;) alert tcp $HOME_NET any -> [212.7.208.82] 6060 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205850; rev:1;) alert tcp $HOME_NET any -> [67.209.219.92] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205851; rev:1;) alert tcp $HOME_NET any -> [179.43.147.200] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205852; rev:1;) alert tcp $HOME_NET any -> [194.68.59.32] 2323 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205853; rev:1;) alert tcp $HOME_NET any -> [109.120.155.23] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205854; rev:1;) alert tcp $HOME_NET any -> [178.33.182.138] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205855; rev:1;) alert tcp $HOME_NET any -> [86.105.1.122] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205856; rev:1;) alert tcp $HOME_NET any -> [185.198.58.164] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205857; rev:1;) alert tcp $HOME_NET any -> [185.186.140.192] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205858; rev:1;) alert tcp $HOME_NET any -> [95.213.204.105] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205859; rev:1;) alert tcp $HOME_NET any -> [5.200.55.47] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205860; rev:1;) alert tcp $HOME_NET any -> [173.212.227.54] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205861; rev:1;) alert tcp $HOME_NET any -> [138.197.255.18] 4143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205862; rev:1;) alert tcp $HOME_NET any -> [185.80.130.32] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205863; rev:1;) alert tcp $HOME_NET any -> [62.109.16.70] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205864; rev:1;) alert tcp $HOME_NET any -> [185.159.130.63] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205865; rev:1;) alert tcp $HOME_NET any -> [62.109.26.193] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205866; rev:1;) alert tcp $HOME_NET any -> [27.102.66.99] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205867; rev:1;) alert tcp $HOME_NET any -> [5.133.11.56] 1840 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205868; rev:1;) alert tcp $HOME_NET any -> [185.200.117.131] 3567 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205869; rev:1;) alert tcp $HOME_NET any -> [185.22.173.239] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205870; rev:1;) alert tcp $HOME_NET any -> [185.92.239.13] 9000 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205871; rev:1;) alert tcp $HOME_NET any -> [78.24.223.50] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205872; rev:1;) alert tcp $HOME_NET any -> [95.154.199.98] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205873; rev:1;) alert tcp $HOME_NET any -> [95.213.235.211] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205874; rev:1;) alert tcp $HOME_NET any -> [185.34.52.58] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205875; rev:1;) alert tcp $HOME_NET any -> [92.53.66.115] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205876; rev:1;) alert tcp $HOME_NET any -> [213.183.58.56] 2644 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205877; rev:1;) alert tcp $HOME_NET any -> [91.92.136.107] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205878; rev:1;) alert tcp $HOME_NET any -> [213.208.152.206] 2889 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205879; rev:1;) alert tcp $HOME_NET any -> [27.102.107.50] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205880; rev:1;) alert tcp $HOME_NET any -> [185.164.34.18] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205881; rev:1;) alert tcp $HOME_NET any -> [185.133.42.243] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205882; rev:1;) alert tcp $HOME_NET any -> [94.177.12.239] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205883; rev:1;) alert tcp $HOME_NET any -> [92.53.78.220] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205884; rev:1;) alert tcp $HOME_NET any -> [194.87.102.69] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205885; rev:1;) alert tcp $HOME_NET any -> [85.217.170.217] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205886; rev:1;) alert tcp $HOME_NET any -> [137.74.150.218] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205887; rev:1;) alert tcp $HOME_NET any -> [5.39.47.22] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205888; rev:1;) alert tcp $HOME_NET any -> [185.22.173.238] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205889; rev:1;) alert tcp $HOME_NET any -> [185.171.25.13] 6447 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205890; rev:1;) alert tcp $HOME_NET any -> [95.140.125.23] 2051 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205891; rev:1;) alert tcp $HOME_NET any -> [178.175.138.212] 9572 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205892; rev:1;) alert tcp $HOME_NET any -> [86.105.227.136] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205893; rev:1;) alert tcp $HOME_NET any -> [213.183.40.10] 1988 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205894; rev:1;) alert tcp $HOME_NET any -> [23.254.202.203] 2688 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205895; rev:1;) alert tcp $HOME_NET any -> [91.92.128.45] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205896; rev:1;) alert tcp $HOME_NET any -> [31.41.46.196] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205897; rev:1;) alert tcp $HOME_NET any -> [185.175.158.213] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205898; rev:1;) alert tcp $HOME_NET any -> [185.84.181.87] 1759 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205899; rev:1;) alert tcp $HOME_NET any -> [213.152.161.239] 10752 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205900; rev:1;) alert tcp $HOME_NET any -> [213.183.58.45] 6767 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205901; rev:1;) alert tcp $HOME_NET any -> [185.228.232.68] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205902; rev:1;) alert tcp $HOME_NET any -> [5.133.11.63] 8088 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205903; rev:1;) alert tcp $HOME_NET any -> [194.87.102.252] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205904; rev:1;) alert tcp $HOME_NET any -> [184.75.209.163] 5434 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205905; rev:1;) alert tcp $HOME_NET any -> [212.38.166.228] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205906; rev:1;) alert tcp $HOME_NET any -> [194.87.111.134] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205907; rev:1;) alert tcp $HOME_NET any -> [176.10.124.195] 8877 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205908; rev:1;) alert tcp $HOME_NET any -> [213.183.58.51] 4141 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205909; rev:1;) alert tcp $HOME_NET any -> [104.200.67.112] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205910; rev:1;) alert tcp $HOME_NET any -> [66.146.66.27] 995 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205911; rev:1;) alert tcp $HOME_NET any -> [154.16.63.19] 6045 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205912; rev:1;) alert tcp $HOME_NET any -> [172.75.241.225] 995 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205913; rev:1;) alert tcp $HOME_NET any -> [94.177.12.101] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205914; rev:1;) alert tcp $HOME_NET any -> [95.150.72.177] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205915; rev:1;) alert tcp $HOME_NET any -> [128.199.244.136] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205916; rev:1;) alert tcp $HOME_NET any -> [164.177.159.22] 4143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205917; rev:1;) alert tcp $HOME_NET any -> [194.87.103.71] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205918; rev:1;) alert tcp $HOME_NET any -> [37.230.113.231] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205919; rev:1;) alert tcp $HOME_NET any -> [94.250.254.104] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205920; rev:1;) alert tcp $HOME_NET any -> [208.69.58.252] 4143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205921; rev:1;) alert tcp $HOME_NET any -> [27.102.67.144] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205922; rev:1;) alert tcp $HOME_NET any -> [194.87.238.194] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205923; rev:1;) alert tcp $HOME_NET any -> [195.133.197.115] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205924; rev:1;) alert tcp $HOME_NET any -> [95.213.236.81] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205925; rev:1;) alert tcp $HOME_NET any -> [160.202.163.200] 1987 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205926; rev:1;) alert tcp $HOME_NET any -> [212.7.218.59] 8741 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205927; rev:1;) alert tcp $HOME_NET any -> [176.10.124.196] 1313 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205928; rev:1;) alert tcp $HOME_NET any -> [79.172.242.86] 9555 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205929; rev:1;) alert tcp $HOME_NET any -> [185.34.52.200] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205930; rev:1;) alert tcp $HOME_NET any -> [45.63.77.42] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205931; rev:1;) alert tcp $HOME_NET any -> [83.0.245.234] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205932; rev:1;) alert tcp $HOME_NET any -> [89.37.226.101] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205933; rev:1;) alert tcp $HOME_NET any -> [60.190.27.162] 4143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205934; rev:1;) alert tcp $HOME_NET any -> [91.92.128.144] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205935; rev:1;) alert tcp $HOME_NET any -> [79.172.242.24] 1895 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205936; rev:1;) alert tcp $HOME_NET any -> [46.249.62.244] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205937; rev:1;) alert tcp $HOME_NET any -> [185.164.34.16] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205938; rev:1;) alert tcp $HOME_NET any -> [187.188.162.150] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205939; rev:1;) alert tcp $HOME_NET any -> [162.255.117.34] 800 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205940; rev:1;) alert tcp $HOME_NET any -> [176.10.124.197] 1888 (msg:"SSLBL: Traffic to malicious host (likely JBifrost C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205941; rev:1;) alert tcp $HOME_NET any -> [176.10.124.237] 2556 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205942; rev:1;) alert tcp $HOME_NET any -> [95.213.252.209] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205943; rev:1;) alert tcp $HOME_NET any -> [194.87.145.199] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205944; rev:1;) alert tcp $HOME_NET any -> [109.120.152.175] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205945; rev:1;) alert tcp $HOME_NET any -> [27.102.106.140] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205946; rev:1;) alert tcp $HOME_NET any -> [204.152.219.98] 9988 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205947; rev:1;) alert tcp $HOME_NET any -> [213.183.58.43] 1011 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205948; rev:1;) alert tcp $HOME_NET any -> [174.127.99.129] 1234 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205949; rev:1;) alert tcp $HOME_NET any -> [179.43.147.235] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205950; rev:1;) alert tcp $HOME_NET any -> [146.255.79.173] 6767 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205951; rev:1;) alert tcp $HOME_NET any -> [185.80.130.216] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205952; rev:1;) alert tcp $HOME_NET any -> [108.49.159.2] 995 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205953; rev:1;) alert tcp $HOME_NET any -> [107.170.65.224] 4143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205954; rev:1;) alert tcp $HOME_NET any -> [79.106.41.23] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205955; rev:1;) alert tcp $HOME_NET any -> [5.8.88.78] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205956; rev:1;) alert tcp $HOME_NET any -> [185.198.57.11] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205957; rev:1;) alert tcp $HOME_NET any -> [86.105.227.152] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205958; rev:1;) alert tcp $HOME_NET any -> [185.28.63.109] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205959; rev:1;) alert tcp $HOME_NET any -> [92.63.105.132] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205960; rev:1;) alert tcp $HOME_NET any -> [194.87.102.119] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205961; rev:1;) alert tcp $HOME_NET any -> [95.213.251.5] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205962; rev:1;) alert tcp $HOME_NET any -> [95.213.195.174] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205963; rev:1;) alert tcp $HOME_NET any -> [89.45.67.104] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205964; rev:1;) alert tcp $HOME_NET any -> [92.53.66.73] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205965; rev:1;) alert tcp $HOME_NET any -> [95.213.194.244] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205966; rev:1;) alert tcp $HOME_NET any -> [149.154.71.146] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205967; rev:1;) alert tcp $HOME_NET any -> [176.10.124.226] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205968; rev:1;) alert tcp $HOME_NET any -> [185.82.200.224] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205969; rev:1;) alert tcp $HOME_NET any -> [174.127.99.172] 4242 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205970; rev:1;) alert tcp $HOME_NET any -> [78.155.206.233] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205971; rev:1;) alert tcp $HOME_NET any -> [185.213.209.194] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205972; rev:1;) alert tcp $HOME_NET any -> [91.134.203.113] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205973; rev:1;) alert tcp $HOME_NET any -> [194.87.236.216] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205974; rev:1;) alert tcp $HOME_NET any -> [154.16.63.167] 7878 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205975; rev:1;) alert tcp $HOME_NET any -> [89.171.146.30] 4143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205976; rev:1;) alert tcp $HOME_NET any -> [104.131.89.74] 4431 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205977; rev:1;) alert tcp $HOME_NET any -> [194.87.236.180] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205978; rev:1;) alert tcp $HOME_NET any -> [95.213.252.23] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205979; rev:1;) alert tcp $HOME_NET any -> [185.106.120.167] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205980; rev:1;) alert tcp $HOME_NET any -> [195.133.146.122] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205981; rev:1;) alert tcp $HOME_NET any -> [187.191.0.42] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205982; rev:1;) alert tcp $HOME_NET any -> [5.200.35.40] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205983; rev:1;) alert tcp $HOME_NET any -> [156.17.92.161] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205984; rev:1;) alert tcp $HOME_NET any -> [145.249.105.20] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205985; rev:1;) alert tcp $HOME_NET any -> [78.24.217.88] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205986; rev:1;) alert tcp $HOME_NET any -> [195.133.146.117] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205987; rev:1;) alert tcp $HOME_NET any -> [194.87.236.168] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205988; rev:1;) alert tcp $HOME_NET any -> [95.213.251.95] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205989; rev:1;) alert tcp $HOME_NET any -> [104.236.49.165] 4143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205990; rev:1;) alert tcp $HOME_NET any -> [46.22.211.167] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205991; rev:1;) alert tcp $HOME_NET any -> [164.132.28.118] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205992; rev:1;) alert tcp $HOME_NET any -> [194.87.239.104] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205993; rev:1;) alert tcp $HOME_NET any -> [181.211.34.154] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205994; rev:1;) alert tcp $HOME_NET any -> [89.45.67.144] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205995; rev:1;) alert tcp $HOME_NET any -> [37.230.112.61] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205996; rev:1;) alert tcp $HOME_NET any -> [80.188.120.11] 4343 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205997; rev:1;) alert tcp $HOME_NET any -> [212.38.166.236] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205998; rev:1;) alert tcp $HOME_NET any -> [194.87.234.254] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905205999; rev:1;) alert tcp $HOME_NET any -> [77.244.215.81] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206000; rev:1;) alert tcp $HOME_NET any -> [188.120.249.77] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206001; rev:1;) alert tcp $HOME_NET any -> [185.117.73.235] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206002; rev:1;) alert tcp $HOME_NET any -> [185.198.57.172] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206003; rev:1;) alert tcp $HOME_NET any -> [62.109.9.121] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206004; rev:1;) alert tcp $HOME_NET any -> [149.154.69.131] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206005; rev:1;) alert tcp $HOME_NET any -> [93.95.97.138] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206006; rev:1;) alert tcp $HOME_NET any -> [188.120.248.190] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206007; rev:1;) alert tcp $HOME_NET any -> [185.77.128.166] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206008; rev:1;) alert tcp $HOME_NET any -> [141.255.167.123] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206009; rev:1;) alert tcp $HOME_NET any -> [79.119.121.185] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206010; rev:1;) alert tcp $HOME_NET any -> [185.80.128.27] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206011; rev:1;) alert tcp $HOME_NET any -> [185.80.128.154] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206012; rev:1;) alert tcp $HOME_NET any -> [185.183.96.165] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206013; rev:1;) alert tcp $HOME_NET any -> [119.28.153.245] 443 (msg:"SSLBL: Traffic to malicious host (likely Zloader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206014; rev:1;) alert tcp $HOME_NET any -> [193.124.117.39] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206015; rev:1;) alert tcp $HOME_NET any -> [80.87.198.198] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206016; rev:1;) alert tcp $HOME_NET any -> [86.105.227.137] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206017; rev:1;) alert tcp $HOME_NET any -> [37.60.177.199] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206018; rev:1;) alert tcp $HOME_NET any -> [79.170.7.139] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206019; rev:1;) alert tcp $HOME_NET any -> [107.161.160.30] 8443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206020; rev:1;) alert tcp $HOME_NET any -> [109.230.199.19] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206021; rev:1;) alert tcp $HOME_NET any -> [188.120.231.188] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206022; rev:1;) alert tcp $HOME_NET any -> [188.137.86.7] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206023; rev:1;) alert tcp $HOME_NET any -> [37.220.31.41] 443 (msg:"SSLBL: Traffic to malicious host (likely Corebot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206024; rev:1;) alert tcp $HOME_NET any -> [195.133.146.111] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206025; rev:1;) alert tcp $HOME_NET any -> [62.102.148.166] 4414 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206026; rev:1;) alert tcp $HOME_NET any -> [185.82.217.224] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206027; rev:1;) alert tcp $HOME_NET any -> [169.239.129.47] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206028; rev:1;) alert tcp $HOME_NET any -> [185.82.216.187] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206029; rev:1;) alert tcp $HOME_NET any -> [141.255.167.112] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206030; rev:1;) alert tcp $HOME_NET any -> [196.202.194.202] 451 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206031; rev:1;) alert tcp $HOME_NET any -> [70.184.5.210] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206032; rev:1;) alert tcp $HOME_NET any -> [94.177.12.245] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206033; rev:1;) alert tcp $HOME_NET any -> [185.82.218.28] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206034; rev:1;) alert tcp $HOME_NET any -> [185.84.181.83] 8088 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206035; rev:1;) alert tcp $HOME_NET any -> [74.202.242.28] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206036; rev:1;) alert tcp $HOME_NET any -> [194.87.232.219] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206037; rev:1;) alert tcp $HOME_NET any -> [194.87.103.184] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206038; rev:1;) alert tcp $HOME_NET any -> [146.255.79.173] 2888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206039; rev:1;) alert tcp $HOME_NET any -> [78.130.176.162] 2018 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206040; rev:1;) alert tcp $HOME_NET any -> [194.87.93.172] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206041; rev:1;) alert tcp $HOME_NET any -> [146.255.79.165] 1010 (msg:"SSLBL: Traffic to malicious host (likely JBifrost C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206042; rev:1;) alert tcp $HOME_NET any -> [82.146.59.247] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206043; rev:1;) alert tcp $HOME_NET any -> [82.146.45.93] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206044; rev:1;) alert tcp $HOME_NET any -> [5.196.54.0] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206045; rev:1;) alert tcp $HOME_NET any -> [185.159.131.127] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206046; rev:1;) alert tcp $HOME_NET any -> [104.140.247.125] 4431 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206047; rev:1;) alert tcp $HOME_NET any -> [185.117.73.13] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206048; rev:1;) alert tcp $HOME_NET any -> [82.146.56.32] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206049; rev:1;) alert tcp $HOME_NET any -> [194.87.103.240] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206050; rev:1;) alert tcp $HOME_NET any -> [92.63.102.221] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206051; rev:1;) alert tcp $HOME_NET any -> [194.87.103.74] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206052; rev:1;) alert tcp $HOME_NET any -> [49.51.134.93] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206053; rev:1;) alert tcp $HOME_NET any -> [185.158.113.194] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206054; rev:1;) alert tcp $HOME_NET any -> [194.87.102.14] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206055; rev:1;) alert tcp $HOME_NET any -> [185.82.218.26] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206056; rev:1;) alert tcp $HOME_NET any -> [85.221.243.6] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206057; rev:1;) alert tcp $HOME_NET any -> [82.146.40.206] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206058; rev:1;) alert tcp $HOME_NET any -> [82.146.47.127] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206059; rev:1;) alert tcp $HOME_NET any -> [92.63.102.64] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206060; rev:1;) alert tcp $HOME_NET any -> [185.158.152.225] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206061; rev:1;) alert tcp $HOME_NET any -> [66.222.49.122] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206062; rev:1;) alert tcp $HOME_NET any -> [107.170.101.158] 4143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206063; rev:1;) alert tcp $HOME_NET any -> [185.198.57.134] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206064; rev:1;) alert tcp $HOME_NET any -> [216.126.58.132] 443 (msg:"SSLBL: Traffic to malicious host (likely Corebot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206065; rev:1;) alert tcp $HOME_NET any -> [86.105.1.102] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206066; rev:1;) alert tcp $HOME_NET any -> [194.87.92.191] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206067; rev:1;) alert tcp $HOME_NET any -> [195.133.196.130] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206068; rev:1;) alert tcp $HOME_NET any -> [195.133.49.17] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206069; rev:1;) alert tcp $HOME_NET any -> [49.51.35.119] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206070; rev:1;) alert tcp $HOME_NET any -> [185.158.153.134] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206071; rev:1;) alert tcp $HOME_NET any -> [194.87.239.200] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206072; rev:1;) alert tcp $HOME_NET any -> [46.237.117.193] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206073; rev:1;) alert tcp $HOME_NET any -> [194.87.236.59] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206074; rev:1;) alert tcp $HOME_NET any -> [76.179.72.219] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206075; rev:1;) alert tcp $HOME_NET any -> [132.206.59.132] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206076; rev:1;) alert tcp $HOME_NET any -> [67.139.169.66] 995 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206077; rev:1;) alert tcp $HOME_NET any -> [216.187.170.2] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206078; rev:1;) alert tcp $HOME_NET any -> [189.244.44.128] 995 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206079; rev:1;) alert tcp $HOME_NET any -> [96.246.147.237] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206080; rev:1;) alert tcp $HOME_NET any -> [24.182.236.58] 995 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206081; rev:1;) alert tcp $HOME_NET any -> [108.35.21.79] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206082; rev:1;) alert tcp $HOME_NET any -> [185.84.181.79] 4820 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206083; rev:1;) alert tcp $HOME_NET any -> [5.2.76.91] 6868 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206084; rev:1;) alert tcp $HOME_NET any -> [87.106.219.40] 4431 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206085; rev:1;) alert tcp $HOME_NET any -> [172.112.229.191] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206086; rev:1;) alert tcp $HOME_NET any -> [176.10.124.197] 3487 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206087; rev:1;) alert tcp $HOME_NET any -> [64.132.75.142] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206088; rev:1;) alert tcp $HOME_NET any -> [185.198.57.57] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206089; rev:1;) alert tcp $HOME_NET any -> [49.51.38.160] 443 (msg:"SSLBL: Traffic to malicious host (likely Smoke Loader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206090; rev:1;) alert tcp $HOME_NET any -> [181.215.247.26] 9090 (msg:"SSLBL: Traffic to malicious host (likely JBifrost C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206091; rev:1;) alert tcp $HOME_NET any -> [185.198.57.133] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206092; rev:1;) alert tcp $HOME_NET any -> [185.127.26.227] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206093; rev:1;) alert tcp $HOME_NET any -> [5.200.35.63] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206094; rev:1;) alert tcp $HOME_NET any -> [162.243.137.50] 8443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206095; rev:1;) alert tcp $HOME_NET any -> [173.203.123.102] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206096; rev:1;) alert tcp $HOME_NET any -> [204.152.219.72] 7878 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206097; rev:1;) alert tcp $HOME_NET any -> [176.10.124.239] 7790 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206098; rev:1;) alert tcp $HOME_NET any -> [23.105.131.150] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206099; rev:1;) alert tcp $HOME_NET any -> [31.171.155.60] 5588 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206100; rev:1;) alert tcp $HOME_NET any -> [194.87.99.234] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206101; rev:1;) alert tcp $HOME_NET any -> [95.167.151.233] 4045 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206102; rev:1;) alert tcp $HOME_NET any -> [197.85.185.132] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206103; rev:1;) alert tcp $HOME_NET any -> [95.167.151.234] 9212 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206104; rev:1;) alert tcp $HOME_NET any -> [176.10.124.230] 1566 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206105; rev:1;) alert tcp $HOME_NET any -> [185.198.57.151] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206106; rev:1;) alert tcp $HOME_NET any -> [89.35.228.243] 4780 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206107; rev:1;) alert tcp $HOME_NET any -> [91.233.116.104] 7728 (msg:"SSLBL: Traffic to malicious host (likely JBifrost C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206108; rev:1;) alert tcp $HOME_NET any -> [154.16.63.221] 9909 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206109; rev:1;) alert tcp $HOME_NET any -> [213.183.58.35] 4101 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206110; rev:1;) alert tcp $HOME_NET any -> [82.146.40.253] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206111; rev:1;) alert tcp $HOME_NET any -> [185.112.82.64] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206112; rev:1;) alert tcp $HOME_NET any -> [205.185.117.108] 4431 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206113; rev:1;) alert tcp $HOME_NET any -> [209.200.27.76] 4343 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206114; rev:1;) alert tcp $HOME_NET any -> [92.207.100.244] 4843 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206115; rev:1;) alert tcp $HOME_NET any -> [185.84.181.85] 7177 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206116; rev:1;) alert tcp $HOME_NET any -> [78.130.176.213] 6790 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206117; rev:1;) alert tcp $HOME_NET any -> [193.218.145.101] 8443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206118; rev:1;) alert tcp $HOME_NET any -> [185.117.72.98] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206119; rev:1;) alert tcp $HOME_NET any -> [49.51.135.109] 443 (msg:"SSLBL: Traffic to malicious host (likely Smoke Loader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206120; rev:1;) alert tcp $HOME_NET any -> [194.87.111.83] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206121; rev:1;) alert tcp $HOME_NET any -> [5.45.86.128] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206122; rev:1;) alert tcp $HOME_NET any -> [185.158.115.61] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206123; rev:1;) alert tcp $HOME_NET any -> [194.87.98.234] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206124; rev:1;) alert tcp $HOME_NET any -> [94.75.77.162] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206125; rev:1;) alert tcp $HOME_NET any -> [49.51.133.206] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206126; rev:1;) alert tcp $HOME_NET any -> [191.101.22.20] 8787 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206127; rev:1;) alert tcp $HOME_NET any -> [45.77.97.99] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206128; rev:1;) alert tcp $HOME_NET any -> [47.74.154.177] 443 (msg:"SSLBL: Traffic to malicious host (likely Smoke Loader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206129; rev:1;) alert tcp $HOME_NET any -> [195.133.146.156] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206130; rev:1;) alert tcp $HOME_NET any -> [5.8.88.181] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206131; rev:1;) alert tcp $HOME_NET any -> [5.45.83.115] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206132; rev:1;) alert tcp $HOME_NET any -> [176.10.124.223] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206133; rev:1;) alert tcp $HOME_NET any -> [194.87.110.49] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206134; rev:1;) alert tcp $HOME_NET any -> [54.208.118.55] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206135; rev:1;) alert tcp $HOME_NET any -> [34.229.150.157] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206136; rev:1;) alert tcp $HOME_NET any -> [185.141.25.242] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206137; rev:1;) alert tcp $HOME_NET any -> [103.25.58.168] 5676 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206138; rev:1;) alert tcp $HOME_NET any -> [107.189.162.131] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206139; rev:1;) alert tcp $HOME_NET any -> [195.133.147.228] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206140; rev:1;) alert tcp $HOME_NET any -> [89.231.13.38] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206141; rev:1;) alert tcp $HOME_NET any -> [188.137.122.40] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206142; rev:1;) alert tcp $HOME_NET any -> [185.158.115.57] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206143; rev:1;) alert tcp $HOME_NET any -> [188.137.122.68] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206144; rev:1;) alert tcp $HOME_NET any -> [195.133.144.27] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206145; rev:1;) alert tcp $HOME_NET any -> [73.166.89.239] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206146; rev:1;) alert tcp $HOME_NET any -> [5.8.88.31] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206147; rev:1;) alert tcp $HOME_NET any -> [18.220.233.103] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206148; rev:1;) alert tcp $HOME_NET any -> [176.10.124.228] 4147 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206149; rev:1;) alert tcp $HOME_NET any -> [47.89.254.87] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206150; rev:1;) alert tcp $HOME_NET any -> [52.90.250.177] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206151; rev:1;) alert tcp $HOME_NET any -> [195.133.145.222] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206152; rev:1;) alert tcp $HOME_NET any -> [190.1.231.231] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206153; rev:1;) alert tcp $HOME_NET any -> [185.94.191.82] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206154; rev:1;) alert tcp $HOME_NET any -> [188.137.122.5] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206155; rev:1;) alert tcp $HOME_NET any -> [45.32.70.144] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206156; rev:1;) alert tcp $HOME_NET any -> [5.188.231.16] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206157; rev:1;) alert tcp $HOME_NET any -> [194.87.99.225] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206158; rev:1;) alert tcp $HOME_NET any -> [185.86.150.63] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206159; rev:1;) alert tcp $HOME_NET any -> [178.175.138.198] 5030 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206160; rev:1;) alert tcp $HOME_NET any -> [18.221.102.212] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206161; rev:1;) alert tcp $HOME_NET any -> [91.83.88.51] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206162; rev:1;) alert tcp $HOME_NET any -> [47.89.253.7] 443 (msg:"SSLBL: Traffic to malicious host (likely Zloader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206163; rev:1;) alert tcp $HOME_NET any -> [155.94.238.28] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206164; rev:1;) alert tcp $HOME_NET any -> [194.87.93.97] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206165; rev:1;) alert tcp $HOME_NET any -> [91.211.246.131] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206166; rev:1;) alert tcp $HOME_NET any -> [5.8.88.219] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206167; rev:1;) alert tcp $HOME_NET any -> [5.188.231.46] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206168; rev:1;) alert tcp $HOME_NET any -> [185.165.29.36] 443 (msg:"SSLBL: Traffic to malicious host (likely Smoke Loader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206169; rev:1;) alert tcp $HOME_NET any -> [74.208.167.95] 1443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206170; rev:1;) alert tcp $HOME_NET any -> [185.174.101.26] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206171; rev:1;) alert tcp $HOME_NET any -> [87.106.15.52] 4431 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206172; rev:1;) alert tcp $HOME_NET any -> [178.156.202.159] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206173; rev:1;) alert tcp $HOME_NET any -> [5.133.179.13] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206174; rev:1;) alert tcp $HOME_NET any -> [103.208.86.215] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206175; rev:1;) alert tcp $HOME_NET any -> [185.80.128.230] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206176; rev:1;) alert tcp $HOME_NET any -> [91.236.116.144] 1818 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206177; rev:1;) alert tcp $HOME_NET any -> [194.68.59.45] 5657 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206178; rev:1;) alert tcp $HOME_NET any -> [195.133.48.80] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206179; rev:1;) alert tcp $HOME_NET any -> [194.87.99.62] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206180; rev:1;) alert tcp $HOME_NET any -> [185.82.200.159] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206181; rev:1;) alert tcp $HOME_NET any -> [184.155.19.94] 995 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206182; rev:1;) alert tcp $HOME_NET any -> [216.107.149.57] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206183; rev:1;) alert tcp $HOME_NET any -> [47.74.150.46] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206184; rev:1;) alert tcp $HOME_NET any -> [5.188.231.44] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206185; rev:1;) alert tcp $HOME_NET any -> [185.203.118.198] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206186; rev:1;) alert tcp $HOME_NET any -> [185.82.217.212] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206187; rev:1;) alert tcp $HOME_NET any -> [95.140.125.26] 1677 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206188; rev:1;) alert tcp $HOME_NET any -> [107.173.168.160] 3040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206189; rev:1;) alert tcp $HOME_NET any -> [66.85.27.170] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206190; rev:1;) alert tcp $HOME_NET any -> [178.175.138.167] 9010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206191; rev:1;) alert tcp $HOME_NET any -> [146.255.79.167] 88 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206192; rev:1;) alert tcp $HOME_NET any -> [78.130.176.192] 6463 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206193; rev:1;) alert tcp $HOME_NET any -> [181.215.247.7] 1988 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206194; rev:1;) alert tcp $HOME_NET any -> [173.254.223.88] 1592 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206195; rev:1;) alert tcp $HOME_NET any -> [194.87.102.36] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206196; rev:1;) alert tcp $HOME_NET any -> [191.101.22.168] 1759 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206197; rev:1;) alert tcp $HOME_NET any -> [188.165.62.8] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206198; rev:1;) alert tcp $HOME_NET any -> [174.127.99.156] 4050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206199; rev:1;) alert tcp $HOME_NET any -> [78.130.176.223] 6666 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206200; rev:1;) alert tcp $HOME_NET any -> [103.16.27.91] 5874 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206201; rev:1;) alert tcp $HOME_NET any -> [89.46.222.232] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206202; rev:1;) alert tcp $HOME_NET any -> [191.101.22.27] 1616 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206203; rev:1;) alert tcp $HOME_NET any -> [31.31.77.229] 1443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206204; rev:1;) alert tcp $HOME_NET any -> [194.68.59.33] 7798 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206205; rev:1;) alert tcp $HOME_NET any -> [94.242.213.178] 3360 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206206; rev:1;) alert tcp $HOME_NET any -> [95.183.52.82] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206207; rev:1;) alert tcp $HOME_NET any -> [185.189.112.142] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206208; rev:1;) alert tcp $HOME_NET any -> [64.71.166.50] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206209; rev:1;) alert tcp $HOME_NET any -> [144.208.127.142] 1986 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206210; rev:1;) alert tcp $HOME_NET any -> [94.242.213.97] 3360 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206211; rev:1;) alert tcp $HOME_NET any -> [173.254.252.209] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206212; rev:1;) alert tcp $HOME_NET any -> [79.124.78.81] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206213; rev:1;) alert tcp $HOME_NET any -> [154.16.220.117] 9010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206214; rev:1;) alert tcp $HOME_NET any -> [146.255.79.186] 2016 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206215; rev:1;) alert tcp $HOME_NET any -> [134.19.176.150] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206216; rev:1;) alert tcp $HOME_NET any -> [210.16.101.88] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206217; rev:1;) alert tcp $HOME_NET any -> [51.254.164.249] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206218; rev:1;) alert tcp $HOME_NET any -> [89.34.99.133] 2016 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206219; rev:1;) alert tcp $HOME_NET any -> [172.93.37.143] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206220; rev:1;) alert tcp $HOME_NET any -> [91.139.236.92] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206221; rev:1;) alert tcp $HOME_NET any -> [216.244.71.140] 3040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206222; rev:1;) alert tcp $HOME_NET any -> [219.92.199.191] 4442 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206223; rev:1;) alert tcp $HOME_NET any -> [5.152.210.165] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206224; rev:1;) alert tcp $HOME_NET any -> [37.59.183.142] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206225; rev:1;) alert tcp $HOME_NET any -> [84.40.65.85] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206226; rev:1;) alert tcp $HOME_NET any -> [93.190.142.100] 8090 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206227; rev:1;) alert tcp $HOME_NET any -> [172.81.178.93] 1033 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206228; rev:1;) alert tcp $HOME_NET any -> [37.230.228.41] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206229; rev:1;) alert tcp $HOME_NET any -> [95.140.125.28] 9977 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206230; rev:1;) alert tcp $HOME_NET any -> [172.93.148.175] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206231; rev:1;) alert tcp $HOME_NET any -> [213.184.126.153] 5001 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206232; rev:1;) alert tcp $HOME_NET any -> [176.10.124.236] 8073 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206233; rev:1;) alert tcp $HOME_NET any -> [87.121.76.172] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206234; rev:1;) alert tcp $HOME_NET any -> [93.123.73.16] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206235; rev:1;) alert tcp $HOME_NET any -> [185.40.20.42] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206236; rev:1;) alert tcp $HOME_NET any -> [185.145.45.73] 4111 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206237; rev:1;) alert tcp $HOME_NET any -> [178.175.138.143] 2098 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206238; rev:1;) alert tcp $HOME_NET any -> [146.255.79.175] 7524 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206239; rev:1;) alert tcp $HOME_NET any -> [181.215.247.219] 3088 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206240; rev:1;) alert tcp $HOME_NET any -> [212.7.218.64] 19989 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206241; rev:1;) alert tcp $HOME_NET any -> [194.68.59.33] 7793 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206242; rev:1;) alert tcp $HOME_NET any -> [178.175.138.196] 2024 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206243; rev:1;) alert tcp $HOME_NET any -> [188.165.62.11] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206244; rev:1;) alert tcp $HOME_NET any -> [146.255.79.170] 7054 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206245; rev:1;) alert tcp $HOME_NET any -> [210.16.102.142] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206246; rev:1;) alert tcp $HOME_NET any -> [209.141.38.25] 3479 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206247; rev:1;) alert tcp $HOME_NET any -> [78.130.176.162] 54669 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206248; rev:1;) alert tcp $HOME_NET any -> [5.187.49.227] 8088 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206249; rev:1;) alert tcp $HOME_NET any -> [23.105.131.190] 7088 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206250; rev:1;) alert tcp $HOME_NET any -> [213.183.58.52] 4644 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206251; rev:1;) alert tcp $HOME_NET any -> [162.248.75.99] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206252; rev:1;) alert tcp $HOME_NET any -> [24.13.179.247] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206253; rev:1;) alert tcp $HOME_NET any -> [185.189.112.134] 8091 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206254; rev:1;) alert tcp $HOME_NET any -> [178.175.138.200] 4571 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206255; rev:1;) alert tcp $HOME_NET any -> [144.208.126.172] 1995 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206256; rev:1;) alert tcp $HOME_NET any -> [104.171.113.230] 1989 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206257; rev:1;) alert tcp $HOME_NET any -> [191.101.22.15] 7928 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206258; rev:1;) alert tcp $HOME_NET any -> [64.15.75.83] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206259; rev:1;) alert tcp $HOME_NET any -> [195.62.52.100] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206260; rev:1;) alert tcp $HOME_NET any -> [79.172.242.32] 7278 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206261; rev:1;) alert tcp $HOME_NET any -> [209.141.39.145] 9005 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206262; rev:1;) alert tcp $HOME_NET any -> [176.10.124.245] 7000 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206263; rev:1;) alert tcp $HOME_NET any -> [91.236.116.142] 2888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206264; rev:1;) alert tcp $HOME_NET any -> [212.7.208.88] 2556 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206265; rev:1;) alert tcp $HOME_NET any -> [146.255.79.169] 7033 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206266; rev:1;) alert tcp $HOME_NET any -> [185.145.45.9] 2176 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206267; rev:1;) alert tcp $HOME_NET any -> [54.85.217.174] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206268; rev:1;) alert tcp $HOME_NET any -> [192.253.242.233] 6061 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206269; rev:1;) alert tcp $HOME_NET any -> [210.186.224.62] 4442 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206270; rev:1;) alert tcp $HOME_NET any -> [194.68.59.36] 100 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206271; rev:1;) alert tcp $HOME_NET any -> [191.101.22.21] 9876 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206272; rev:1;) alert tcp $HOME_NET any -> [174.127.99.153] 7789 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206273; rev:1;) alert tcp $HOME_NET any -> [174.127.99.171] 2017 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206274; rev:1;) alert tcp $HOME_NET any -> [37.49.224.26] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206275; rev:1;) alert tcp $HOME_NET any -> [146.255.79.170] 8190 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206276; rev:1;) alert tcp $HOME_NET any -> [185.29.9.15] 9220 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206277; rev:1;) alert tcp $HOME_NET any -> [213.183.58.42] 3012 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206278; rev:1;) alert tcp $HOME_NET any -> [192.166.218.230] 1779 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206279; rev:1;) alert tcp $HOME_NET any -> [174.127.99.130] 2014 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206280; rev:1;) alert tcp $HOME_NET any -> [213.183.58.34] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206281; rev:1;) alert tcp $HOME_NET any -> [5.187.49.226] 8088 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206282; rev:1;) alert tcp $HOME_NET any -> [23.227.201.27] 5053 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206283; rev:1;) alert tcp $HOME_NET any -> [185.141.27.19] 1008 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206284; rev:1;) alert tcp $HOME_NET any -> [213.183.58.56] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206285; rev:1;) alert tcp $HOME_NET any -> [37.10.71.146] 1961 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206286; rev:1;) alert tcp $HOME_NET any -> [185.84.181.89] 3545 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206287; rev:1;) alert tcp $HOME_NET any -> [144.208.127.126] 1989 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206288; rev:1;) alert tcp $HOME_NET any -> [213.183.58.37] 64666 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206289; rev:1;) alert tcp $HOME_NET any -> [185.153.229.59] 443 (msg:"SSLBL: Traffic to malicious host (likely Nexuslogger C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206290; rev:1;) alert tcp $HOME_NET any -> [95.141.43.219] 2204 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206291; rev:1;) alert tcp $HOME_NET any -> [204.152.219.112] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206292; rev:1;) alert tcp $HOME_NET any -> [146.71.87.103] 1992 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206293; rev:1;) alert tcp $HOME_NET any -> [185.208.170.155] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206294; rev:1;) alert tcp $HOME_NET any -> [185.145.45.145] 2888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206295; rev:1;) alert tcp $HOME_NET any -> [95.167.151.228] 7769 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206296; rev:1;) alert tcp $HOME_NET any -> [195.88.208.202] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206297; rev:1;) alert tcp $HOME_NET any -> [212.7.218.143] 7543 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206298; rev:1;) alert tcp $HOME_NET any -> [84.238.198.166] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206299; rev:1;) alert tcp $HOME_NET any -> [172.82.162.246] 8090 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206300; rev:1;) alert tcp $HOME_NET any -> [213.183.58.34] 2077 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206301; rev:1;) alert tcp $HOME_NET any -> [176.10.124.234] 1903 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206302; rev:1;) alert tcp $HOME_NET any -> [188.165.26.166] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206303; rev:1;) alert tcp $HOME_NET any -> [193.105.134.78] 1472 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206304; rev:1;) alert tcp $HOME_NET any -> [89.35.228.232] 4044 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206305; rev:1;) alert tcp $HOME_NET any -> [174.127.99.146] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206306; rev:1;) alert tcp $HOME_NET any -> [192.237.180.245] 667 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206307; rev:1;) alert tcp $HOME_NET any -> [176.10.124.226] 7033 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206308; rev:1;) alert tcp $HOME_NET any -> [5.133.15.5] 4245 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206309; rev:1;) alert tcp $HOME_NET any -> [23.105.131.186] 1101 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206310; rev:1;) alert tcp $HOME_NET any -> [178.175.138.200] 9010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206311; rev:1;) alert tcp $HOME_NET any -> [151.80.84.2] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206312; rev:1;) alert tcp $HOME_NET any -> [185.120.144.151] 1906 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206313; rev:1;) alert tcp $HOME_NET any -> [204.152.219.93] 4466 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206314; rev:1;) alert tcp $HOME_NET any -> [23.105.131.156] 4321 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206315; rev:1;) alert tcp $HOME_NET any -> [146.71.87.11] 1989 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206316; rev:1;) alert tcp $HOME_NET any -> [174.127.99.128] 3445 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206317; rev:1;) alert tcp $HOME_NET any -> [38.95.111.202] 5577 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206318; rev:1;) alert tcp $HOME_NET any -> [66.11.124.213] 2087 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206319; rev:1;) alert tcp $HOME_NET any -> [185.75.59.209] 7719 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206320; rev:1;) alert tcp $HOME_NET any -> [172.93.148.168] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206321; rev:1;) alert tcp $HOME_NET any -> [23.105.131.158] 7033 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206322; rev:1;) alert tcp $HOME_NET any -> [181.215.247.123] 1605 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206323; rev:1;) alert tcp $HOME_NET any -> [185.208.210.40] 1334 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206324; rev:1;) alert tcp $HOME_NET any -> [213.184.126.131] 6022 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206325; rev:1;) alert tcp $HOME_NET any -> [185.30.144.205] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206326; rev:1;) alert tcp $HOME_NET any -> [81.95.123.210] 1985 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206327; rev:1;) alert tcp $HOME_NET any -> [91.214.114.179] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206328; rev:1;) alert tcp $HOME_NET any -> [131.153.37.30] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206329; rev:1;) alert tcp $HOME_NET any -> [69.247.60.183] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206330; rev:1;) alert tcp $HOME_NET any -> [193.124.117.102] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206331; rev:1;) alert tcp $HOME_NET any -> [185.172.31.111] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206332; rev:1;) alert tcp $HOME_NET any -> [213.152.161.149] 3487 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206333; rev:1;) alert tcp $HOME_NET any -> [154.16.49.165] 2087 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206334; rev:1;) alert tcp $HOME_NET any -> [5.8.88.40] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206335; rev:1;) alert tcp $HOME_NET any -> [94.242.252.36] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206336; rev:1;) alert tcp $HOME_NET any -> [5.188.231.10] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206337; rev:1;) alert tcp $HOME_NET any -> [94.242.208.183] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206338; rev:1;) alert tcp $HOME_NET any -> [146.185.254.139] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206339; rev:1;) alert tcp $HOME_NET any -> [37.59.80.99] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206340; rev:1;) alert tcp $HOME_NET any -> [37.59.183.143] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206341; rev:1;) alert tcp $HOME_NET any -> [89.223.31.232] 443 (msg:"SSLBL: Traffic to malicious host (likely Corebot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206342; rev:1;) alert tcp $HOME_NET any -> [5.8.88.194] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206343; rev:1;) alert tcp $HOME_NET any -> [94.23.170.129] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206344; rev:1;) alert tcp $HOME_NET any -> [94.74.81.176] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206345; rev:1;) alert tcp $HOME_NET any -> [5.188.231.125] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206346; rev:1;) alert tcp $HOME_NET any -> [185.84.181.96] 2556 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206347; rev:1;) alert tcp $HOME_NET any -> [186.103.161.204] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206348; rev:1;) alert tcp $HOME_NET any -> [185.84.181.78] 2022 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206349; rev:1;) alert tcp $HOME_NET any -> [103.68.223.134] 6329 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206350; rev:1;) alert tcp $HOME_NET any -> [213.183.58.35] 2446 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206351; rev:1;) alert tcp $HOME_NET any -> [185.84.181.89] 7262 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206352; rev:1;) alert tcp $HOME_NET any -> [216.244.79.18] 2087 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206353; rev:1;) alert tcp $HOME_NET any -> [154.16.49.142] 2087 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206354; rev:1;) alert tcp $HOME_NET any -> [213.183.58.35] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206355; rev:1;) alert tcp $HOME_NET any -> [154.16.49.141] 2087 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206356; rev:1;) alert tcp $HOME_NET any -> [86.99.122.180] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206357; rev:1;) alert tcp $HOME_NET any -> [95.141.43.199] 9090 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206358; rev:1;) alert tcp $HOME_NET any -> [154.16.49.125] 4087 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206359; rev:1;) alert tcp $HOME_NET any -> [209.222.111.183] 4545 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206360; rev:1;) alert tcp $HOME_NET any -> [172.94.117.219] 1609 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206361; rev:1;) alert tcp $HOME_NET any -> [154.16.49.144] 3087 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206362; rev:1;) alert tcp $HOME_NET any -> [31.171.155.68] 9455 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206363; rev:1;) alert tcp $HOME_NET any -> [178.175.138.224] 1414 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206364; rev:1;) alert tcp $HOME_NET any -> [212.7.218.60] 2010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206365; rev:1;) alert tcp $HOME_NET any -> [189.84.113.83] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206366; rev:1;) alert tcp $HOME_NET any -> [91.236.116.143] 2322 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206367; rev:1;) alert tcp $HOME_NET any -> [23.253.243.44] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206368; rev:1;) alert tcp $HOME_NET any -> [190.34.158.250] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206369; rev:1;) alert tcp $HOME_NET any -> [118.91.178.98] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206370; rev:1;) alert tcp $HOME_NET any -> [118.91.178.145] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206371; rev:1;) alert tcp $HOME_NET any -> [118.91.178.114] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206372; rev:1;) alert tcp $HOME_NET any -> [213.183.58.50] 4055 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206373; rev:1;) alert tcp $HOME_NET any -> [194.68.59.77] 3443 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206374; rev:1;) alert tcp $HOME_NET any -> [186.114.237.54] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206375; rev:1;) alert tcp $HOME_NET any -> [93.99.68.140] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206376; rev:1;) alert tcp $HOME_NET any -> [213.183.58.54] 2558 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206377; rev:1;) alert tcp $HOME_NET any -> [194.87.111.85] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206378; rev:1;) alert tcp $HOME_NET any -> [46.160.165.31] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206379; rev:1;) alert tcp $HOME_NET any -> [83.234.136.55] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206380; rev:1;) alert tcp $HOME_NET any -> [195.133.197.179] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206381; rev:1;) alert tcp $HOME_NET any -> [46.160.165.16] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206382; rev:1;) alert tcp $HOME_NET any -> [91.206.4.216] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206383; rev:1;) alert tcp $HOME_NET any -> [163.53.206.187] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206384; rev:1;) alert tcp $HOME_NET any -> [154.16.49.145] 2087 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206385; rev:1;) alert tcp $HOME_NET any -> [179.33.115.200] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206386; rev:1;) alert tcp $HOME_NET any -> [117.200.11.11] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206387; rev:1;) alert tcp $HOME_NET any -> [161.10.39.218] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206388; rev:1;) alert tcp $HOME_NET any -> [200.28.113.178] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206389; rev:1;) alert tcp $HOME_NET any -> [206.221.186.201] 1414 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206390; rev:1;) alert tcp $HOME_NET any -> [85.228.193.94] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206391; rev:1;) alert tcp $HOME_NET any -> [195.62.53.213] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206392; rev:1;) alert tcp $HOME_NET any -> [195.2.252.178] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206393; rev:1;) alert tcp $HOME_NET any -> [213.183.58.55] 2426 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206394; rev:1;) alert tcp $HOME_NET any -> [213.183.58.29] 2559 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206395; rev:1;) alert tcp $HOME_NET any -> [213.183.58.27] 6442 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206396; rev:1;) alert tcp $HOME_NET any -> [104.243.37.52] 7070 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206397; rev:1;) alert tcp $HOME_NET any -> [213.183.58.53] 41969 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206398; rev:1;) alert tcp $HOME_NET any -> [89.231.13.18] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206399; rev:1;) alert tcp $HOME_NET any -> [213.208.129.198] 5564 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206400; rev:1;) alert tcp $HOME_NET any -> [89.231.13.33] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206401; rev:1;) alert tcp $HOME_NET any -> [89.231.13.18] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206402; rev:1;) alert tcp $HOME_NET any -> [161.10.192.68] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206403; rev:1;) alert tcp $HOME_NET any -> [159.224.26.79] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206404; rev:1;) alert tcp $HOME_NET any -> [195.69.196.77] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206405; rev:1;) alert tcp $HOME_NET any -> [94.42.91.27] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206406; rev:1;) alert tcp $HOME_NET any -> [118.91.178.121] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206407; rev:1;) alert tcp $HOME_NET any -> [213.183.58.29] 1609 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206408; rev:1;) alert tcp $HOME_NET any -> [23.227.201.157] 2087 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206409; rev:1;) alert tcp $HOME_NET any -> [191.7.30.30] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206410; rev:1;) alert tcp $HOME_NET any -> [174.127.99.145] 7171 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206411; rev:1;) alert tcp $HOME_NET any -> [213.183.58.48] 6464 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206412; rev:1;) alert tcp $HOME_NET any -> [95.141.43.196] 6660 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206413; rev:1;) alert tcp $HOME_NET any -> [213.183.40.11] 9797 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206414; rev:1;) alert tcp $HOME_NET any -> [160.202.163.249] 4487 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206415; rev:1;) alert tcp $HOME_NET any -> [163.47.20.60] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206416; rev:1;) alert tcp $HOME_NET any -> [31.215.129.180] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206417; rev:1;) alert tcp $HOME_NET any -> [188.255.249.27] 445 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206418; rev:1;) alert tcp $HOME_NET any -> [212.24.109.200] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206419; rev:1;) alert tcp $HOME_NET any -> [121.41.25.162] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206420; rev:1;) alert tcp $HOME_NET any -> [107.181.187.141] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206421; rev:1;) alert tcp $HOME_NET any -> [94.27.36.66] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206422; rev:1;) alert tcp $HOME_NET any -> [67.130.166.121] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206423; rev:1;) alert tcp $HOME_NET any -> [212.24.110.154] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206424; rev:1;) alert tcp $HOME_NET any -> [89.231.13.27] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206425; rev:1;) alert tcp $HOME_NET any -> [212.24.110.190] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206426; rev:1;) alert tcp $HOME_NET any -> [174.127.99.217] 3001 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206427; rev:1;) alert tcp $HOME_NET any -> [62.113.202.70] 5643 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206428; rev:1;) alert tcp $HOME_NET any -> [212.24.109.218] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206429; rev:1;) alert tcp $HOME_NET any -> [91.236.116.141] 1506 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206430; rev:1;) alert tcp $HOME_NET any -> [154.16.220.106] 20901 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206431; rev:1;) alert tcp $HOME_NET any -> [174.127.99.212] 54689 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206432; rev:1;) alert tcp $HOME_NET any -> [154.16.220.161] 1101 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206433; rev:1;) alert tcp $HOME_NET any -> [185.29.9.121] 7760 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206434; rev:1;) alert tcp $HOME_NET any -> [213.183.58.44] 6466 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206435; rev:1;) alert tcp $HOME_NET any -> [46.183.222.37] 4040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206436; rev:1;) alert tcp $HOME_NET any -> [104.153.108.150] 3281 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206437; rev:1;) alert tcp $HOME_NET any -> [95.140.125.100] 9060 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206438; rev:1;) alert tcp $HOME_NET any -> [185.84.181.67] 1996 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206439; rev:1;) alert tcp $HOME_NET any -> [185.145.45.228] 9018 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206440; rev:1;) alert tcp $HOME_NET any -> [185.84.181.69] 2245 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206441; rev:1;) alert tcp $HOME_NET any -> [23.105.128.147] 2070 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206442; rev:1;) alert tcp $HOME_NET any -> [50.2.13.182] 2087 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206443; rev:1;) alert tcp $HOME_NET any -> [173.254.223.124] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206444; rev:1;) alert tcp $HOME_NET any -> [184.75.210.206] 7262 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206445; rev:1;) alert tcp $HOME_NET any -> [176.9.99.134] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206446; rev:1;) alert tcp $HOME_NET any -> [185.101.34.119] 1933 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206447; rev:1;) alert tcp $HOME_NET any -> [184.75.209.178] 9001 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206448; rev:1;) alert tcp $HOME_NET any -> [174.127.99.188] 8040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206449; rev:1;) alert tcp $HOME_NET any -> [47.88.17.2] 25432 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206450; rev:1;) alert tcp $HOME_NET any -> [59.98.97.170] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206451; rev:1;) alert tcp $HOME_NET any -> [181.234.125.7] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206452; rev:1;) alert tcp $HOME_NET any -> [181.234.131.143] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206453; rev:1;) alert tcp $HOME_NET any -> [184.75.209.164] 5050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206454; rev:1;) alert tcp $HOME_NET any -> [181.234.110.59] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206455; rev:1;) alert tcp $HOME_NET any -> [217.164.82.62] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206456; rev:1;) alert tcp $HOME_NET any -> [213.183.58.54] 7956 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206457; rev:1;) alert tcp $HOME_NET any -> [95.104.2.225] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206458; rev:1;) alert tcp $HOME_NET any -> [195.225.231.78] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206459; rev:1;) alert tcp $HOME_NET any -> [213.208.129.195] 27180 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206460; rev:1;) alert tcp $HOME_NET any -> [77.48.28.194] 5050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206461; rev:1;) alert tcp $HOME_NET any -> [198.12.96.155] 2087 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206462; rev:1;) alert tcp $HOME_NET any -> [91.236.116.141] 1030 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206463; rev:1;) alert tcp $HOME_NET any -> [217.19.223.20] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206464; rev:1;) alert tcp $HOME_NET any -> [174.127.99.198] 2727 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206465; rev:1;) alert tcp $HOME_NET any -> [123.206.198.12] 8888 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206466; rev:1;) alert tcp $HOME_NET any -> [137.74.103.16] 9090 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206467; rev:1;) alert tcp $HOME_NET any -> [37.235.49.220] 1111 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206468; rev:1;) alert tcp $HOME_NET any -> [117.199.204.238] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206469; rev:1;) alert tcp $HOME_NET any -> [185.101.34.69] 5567 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206470; rev:1;) alert tcp $HOME_NET any -> [160.202.163.240] 9888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206471; rev:1;) alert tcp $HOME_NET any -> [89.35.228.205] 9090 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206472; rev:1;) alert tcp $HOME_NET any -> [163.47.20.67] 1975 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206473; rev:1;) alert tcp $HOME_NET any -> [154.16.201.3] 21777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206474; rev:1;) alert tcp $HOME_NET any -> [160.202.163.240] 1111 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206475; rev:1;) alert tcp $HOME_NET any -> [49.156.45.139] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206476; rev:1;) alert tcp $HOME_NET any -> [179.43.158.169] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206477; rev:1;) alert tcp $HOME_NET any -> [115.186.139.104] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206478; rev:1;) alert tcp $HOME_NET any -> [195.225.231.79] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206479; rev:1;) alert tcp $HOME_NET any -> [160.202.163.251] 7755 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206480; rev:1;) alert tcp $HOME_NET any -> [82.153.121.186] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206481; rev:1;) alert tcp $HOME_NET any -> [87.120.254.222] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206482; rev:1;) alert tcp $HOME_NET any -> [23.105.131.211] 17387 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206483; rev:1;) alert tcp $HOME_NET any -> [77.48.28.248] 8854 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206484; rev:1;) alert tcp $HOME_NET any -> [81.95.126.146] 4431 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206485; rev:1;) alert tcp $HOME_NET any -> [198.100.127.43] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206486; rev:1;) alert tcp $HOME_NET any -> [185.29.9.3] 9455 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206487; rev:1;) alert tcp $HOME_NET any -> [204.152.219.120] 2556 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206488; rev:1;) alert tcp $HOME_NET any -> [46.183.217.22] 1608 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206489; rev:1;) alert tcp $HOME_NET any -> [84.200.65.35] 7274 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206490; rev:1;) alert tcp $HOME_NET any -> [45.63.7.73] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206491; rev:1;) alert tcp $HOME_NET any -> [198.100.157.155] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206492; rev:1;) alert tcp $HOME_NET any -> [151.80.84.3] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206493; rev:1;) alert tcp $HOME_NET any -> [77.48.28.232] 9978 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206494; rev:1;) alert tcp $HOME_NET any -> [62.141.34.242] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206495; rev:1;) alert tcp $HOME_NET any -> [91.236.116.138] 2010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206496; rev:1;) alert tcp $HOME_NET any -> [82.146.46.207] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206497; rev:1;) alert tcp $HOME_NET any -> [24.184.200.177] 2222 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206498; rev:1;) alert tcp $HOME_NET any -> [96.9.69.131] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206499; rev:1;) alert tcp $HOME_NET any -> [5.172.34.138] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206500; rev:1;) alert tcp $HOME_NET any -> [186.27.192.36] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206501; rev:1;) alert tcp $HOME_NET any -> [188.124.170.93] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206502; rev:1;) alert tcp $HOME_NET any -> [5.101.4.41] 443 (msg:"SSLBL: Traffic to malicious host (likely Neutrino C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206503; rev:1;) alert tcp $HOME_NET any -> [117.99.183.127] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206504; rev:1;) alert tcp $HOME_NET any -> [46.102.152.208] 1350 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206505; rev:1;) alert tcp $HOME_NET any -> [174.127.99.250] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206506; rev:1;) alert tcp $HOME_NET any -> [5.175.225.33] 1177 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206507; rev:1;) alert tcp $HOME_NET any -> [186.208.106.234] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206508; rev:1;) alert tcp $HOME_NET any -> [154.73.28.239] 78 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206509; rev:1;) alert tcp $HOME_NET any -> [174.127.99.172] 8484 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206510; rev:1;) alert tcp $HOME_NET any -> [186.107.17.157] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206511; rev:1;) alert tcp $HOME_NET any -> [104.153.108.111] 9200 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206512; rev:1;) alert tcp $HOME_NET any -> [195.88.209.221] 4413 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206513; rev:1;) alert tcp $HOME_NET any -> [185.92.239.14] 7755 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206514; rev:1;) alert tcp $HOME_NET any -> [91.219.28.55] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206515; rev:1;) alert tcp $HOME_NET any -> [178.32.255.130] 44343 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206516; rev:1;) alert tcp $HOME_NET any -> [217.197.39.1] 8443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206517; rev:1;) alert tcp $HOME_NET any -> [181.215.47.182] 2087 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206518; rev:1;) alert tcp $HOME_NET any -> [178.175.138.146] 1011 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206519; rev:1;) alert tcp $HOME_NET any -> [174.127.99.178] 5001 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206520; rev:1;) alert tcp $HOME_NET any -> [79.172.242.28] 7272 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206521; rev:1;) alert tcp $HOME_NET any -> [195.54.162.230] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206522; rev:1;) alert tcp $HOME_NET any -> [71.79.50.183] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206523; rev:1;) alert tcp $HOME_NET any -> [208.87.225.248] 4143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206524; rev:1;) alert tcp $HOME_NET any -> [185.75.59.226] 9945 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206525; rev:1;) alert tcp $HOME_NET any -> [45.51.20.176] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206526; rev:1;) alert tcp $HOME_NET any -> [202.195.246.3] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206527; rev:1;) alert tcp $HOME_NET any -> [149.62.168.5] 4143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206528; rev:1;) alert tcp $HOME_NET any -> [185.98.86.242] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206529; rev:1;) alert tcp $HOME_NET any -> [81.12.229.190] 8043 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206530; rev:1;) alert tcp $HOME_NET any -> [194.1.238.206] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206531; rev:1;) alert tcp $HOME_NET any -> [185.145.253.60] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206532; rev:1;) alert tcp $HOME_NET any -> [68.169.52.216] 44343 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206533; rev:1;) alert tcp $HOME_NET any -> [216.66.0.143] 5353 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206534; rev:1;) alert tcp $HOME_NET any -> [217.182.53.102] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206535; rev:1;) alert tcp $HOME_NET any -> [104.236.252.178] 44343 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206536; rev:1;) alert tcp $HOME_NET any -> [203.76.105.82] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206537; rev:1;) alert tcp $HOME_NET any -> [158.69.209.193] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206538; rev:1;) alert tcp $HOME_NET any -> [178.62.65.89] 4143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206539; rev:1;) alert tcp $HOME_NET any -> [37.120.172.171] 4143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206540; rev:1;) alert tcp $HOME_NET any -> [8.8.247.36] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206541; rev:1;) alert tcp $HOME_NET any -> [107.170.0.14] 8043 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206542; rev:1;) alert tcp $HOME_NET any -> [92.63.111.201] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206543; rev:1;) alert tcp $HOME_NET any -> [107.181.255.244] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206544; rev:1;) alert tcp $HOME_NET any -> [107.170.146.72] 44343 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206545; rev:1;) alert tcp $HOME_NET any -> [107.170.4.194] 943 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206546; rev:1;) alert tcp $HOME_NET any -> [203.92.62.46] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206547; rev:1;) alert tcp $HOME_NET any -> [117.204.131.25] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206548; rev:1;) alert tcp $HOME_NET any -> [161.10.212.151] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206549; rev:1;) alert tcp $HOME_NET any -> [185.35.139.248] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206550; rev:1;) alert tcp $HOME_NET any -> [200.116.206.58] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206551; rev:1;) alert tcp $HOME_NET any -> [93.170.104.145] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206552; rev:1;) alert tcp $HOME_NET any -> [200.120.214.150] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206553; rev:1;) alert tcp $HOME_NET any -> [185.158.249.46] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206554; rev:1;) alert tcp $HOME_NET any -> [175.136.183.22] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206555; rev:1;) alert tcp $HOME_NET any -> [91.200.14.88] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206556; rev:1;) alert tcp $HOME_NET any -> [183.87.11.253] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206557; rev:1;) alert tcp $HOME_NET any -> [103.4.18.170] 4143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206558; rev:1;) alert tcp $HOME_NET any -> [83.141.2.155] 8043 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206559; rev:1;) alert tcp $HOME_NET any -> [5.237.63.68] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206560; rev:1;) alert tcp $HOME_NET any -> [35.187.46.239] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206561; rev:1;) alert tcp $HOME_NET any -> [52.38.159.164] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206562; rev:1;) alert tcp $HOME_NET any -> [64.250.115.129] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206563; rev:1;) alert tcp $HOME_NET any -> [190.99.203.251] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206564; rev:1;) alert tcp $HOME_NET any -> [185.35.138.117] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206565; rev:1;) alert tcp $HOME_NET any -> [186.112.78.150] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206566; rev:1;) alert tcp $HOME_NET any -> [190.68.87.97] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206567; rev:1;) alert tcp $HOME_NET any -> [85.143.214.43] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206568; rev:1;) alert tcp $HOME_NET any -> [36.66.107.162] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206569; rev:1;) alert tcp $HOME_NET any -> [50.198.141.161] 2222 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206570; rev:1;) alert tcp $HOME_NET any -> [94.102.55.27] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206571; rev:1;) alert tcp $HOME_NET any -> [186.112.44.52] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206572; rev:1;) alert tcp $HOME_NET any -> [178.57.222.136] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206573; rev:1;) alert tcp $HOME_NET any -> [89.33.64.134] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206574; rev:1;) alert tcp $HOME_NET any -> [107.181.187.101] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206575; rev:1;) alert tcp $HOME_NET any -> [191.110.143.138] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206576; rev:1;) alert tcp $HOME_NET any -> [71.233.66.243] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206577; rev:1;) alert tcp $HOME_NET any -> [61.3.147.231] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206578; rev:1;) alert tcp $HOME_NET any -> [52.25.108.4] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206579; rev:1;) alert tcp $HOME_NET any -> [144.208.127.72] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206580; rev:1;) alert tcp $HOME_NET any -> [186.114.103.155] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206581; rev:1;) alert tcp $HOME_NET any -> [5.135.186.189] 4143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206582; rev:1;) alert tcp $HOME_NET any -> [192.254.133.59] 4143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206583; rev:1;) alert tcp $HOME_NET any -> [66.165.13.205] 32103 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206584; rev:1;) alert tcp $HOME_NET any -> [84.42.159.138] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206585; rev:1;) alert tcp $HOME_NET any -> [47.188.109.209] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206586; rev:1;) alert tcp $HOME_NET any -> [104.236.181.85] 3443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206587; rev:1;) alert tcp $HOME_NET any -> [37.187.57.57] 8043 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206588; rev:1;) alert tcp $HOME_NET any -> [149.56.9.218] 8043 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206589; rev:1;) alert tcp $HOME_NET any -> [179.32.209.39] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206590; rev:1;) alert tcp $HOME_NET any -> [186.27.246.62] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206591; rev:1;) alert tcp $HOME_NET any -> [67.87.108.136] 2222 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206592; rev:1;) alert tcp $HOME_NET any -> [217.182.45.166] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206593; rev:1;) alert tcp $HOME_NET any -> [144.217.16.189] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206594; rev:1;) alert tcp $HOME_NET any -> [97.103.16.213] 995 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206595; rev:1;) alert tcp $HOME_NET any -> [174.135.45.106] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206596; rev:1;) alert tcp $HOME_NET any -> [95.158.148.249] 3443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206597; rev:1;) alert tcp $HOME_NET any -> [59.125.50.132] 44443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206598; rev:1;) alert tcp $HOME_NET any -> [58.182.10.7] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206599; rev:1;) alert tcp $HOME_NET any -> [62.76.177.50] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206600; rev:1;) alert tcp $HOME_NET any -> [190.67.98.69] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206601; rev:1;) alert tcp $HOME_NET any -> [80.51.120.132] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206602; rev:1;) alert tcp $HOME_NET any -> [98.194.132.179] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206603; rev:1;) alert tcp $HOME_NET any -> [89.242.200.242] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206604; rev:1;) alert tcp $HOME_NET any -> [190.66.212.225] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206605; rev:1;) alert tcp $HOME_NET any -> [193.238.152.67] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206606; rev:1;) alert tcp $HOME_NET any -> [117.221.26.63] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206607; rev:1;) alert tcp $HOME_NET any -> [139.129.250.122] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206608; rev:1;) alert tcp $HOME_NET any -> [45.74.41.34] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206609; rev:1;) alert tcp $HOME_NET any -> [113.167.98.166] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206610; rev:1;) alert tcp $HOME_NET any -> [161.18.100.218] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206611; rev:1;) alert tcp $HOME_NET any -> [186.27.233.210] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206612; rev:1;) alert tcp $HOME_NET any -> [2.220.18.203] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206613; rev:1;) alert tcp $HOME_NET any -> [120.24.84.63] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206614; rev:1;) alert tcp $HOME_NET any -> [73.27.36.186] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206615; rev:1;) alert tcp $HOME_NET any -> [150.31.38.94] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206616; rev:1;) alert tcp $HOME_NET any -> [182.18.152.103] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206617; rev:1;) alert tcp $HOME_NET any -> [185.98.86.131] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206618; rev:1;) alert tcp $HOME_NET any -> [185.16.41.108] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206619; rev:1;) alert tcp $HOME_NET any -> [95.68.112.253] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206620; rev:1;) alert tcp $HOME_NET any -> [97.126.1.61] 990 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206621; rev:1;) alert tcp $HOME_NET any -> [173.25.234.18] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206622; rev:1;) alert tcp $HOME_NET any -> [104.207.153.107] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206623; rev:1;) alert tcp $HOME_NET any -> [190.238.62.69] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206624; rev:1;) alert tcp $HOME_NET any -> [89.163.220.168] 1443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206625; rev:1;) alert tcp $HOME_NET any -> [67.231.16.71] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206626; rev:1;) alert tcp $HOME_NET any -> [62.109.13.107] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206627; rev:1;) alert tcp $HOME_NET any -> [195.174.126.121] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206628; rev:1;) alert tcp $HOME_NET any -> [205.186.129.254] 8043 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206629; rev:1;) alert tcp $HOME_NET any -> [192.3.165.10] 8043 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206630; rev:1;) alert tcp $HOME_NET any -> [91.203.145.34] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206631; rev:1;) alert tcp $HOME_NET any -> [190.69.239.72] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206632; rev:1;) alert tcp $HOME_NET any -> [185.98.86.114] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206633; rev:1;) alert tcp $HOME_NET any -> [59.96.182.66] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206634; rev:1;) alert tcp $HOME_NET any -> [85.85.140.82] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206635; rev:1;) alert tcp $HOME_NET any -> [24.6.98.88] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206636; rev:1;) alert tcp $HOME_NET any -> [71.88.202.122] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206637; rev:1;) alert tcp $HOME_NET any -> [76.177.4.114] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206638; rev:1;) alert tcp $HOME_NET any -> [73.176.255.26] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206639; rev:1;) alert tcp $HOME_NET any -> [89.154.213.154] 2222 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206640; rev:1;) alert tcp $HOME_NET any -> [203.92.62.46] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206641; rev:1;) alert tcp $HOME_NET any -> [27.3.86.221] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206642; rev:1;) alert tcp $HOME_NET any -> [105.227.190.124] 995 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206643; rev:1;) alert tcp $HOME_NET any -> [5.188.223.7] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206644; rev:1;) alert tcp $HOME_NET any -> [193.0.178.77] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206645; rev:1;) alert tcp $HOME_NET any -> [171.61.232.165] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206646; rev:1;) alert tcp $HOME_NET any -> [62.75.197.233] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206647; rev:1;) alert tcp $HOME_NET any -> [105.224.196.216] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206648; rev:1;) alert tcp $HOME_NET any -> [166.149.168.187] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206649; rev:1;) alert tcp $HOME_NET any -> [74.193.105.104] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206650; rev:1;) alert tcp $HOME_NET any -> [180.93.69.228] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206651; rev:1;) alert tcp $HOME_NET any -> [74.138.222.130] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206652; rev:1;) alert tcp $HOME_NET any -> [31.14.145.250] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206653; rev:1;) alert tcp $HOME_NET any -> [2.126.55.140] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206654; rev:1;) alert tcp $HOME_NET any -> [185.80.53.125] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206655; rev:1;) alert tcp $HOME_NET any -> [98.191.105.101] 995 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206656; rev:1;) alert tcp $HOME_NET any -> [47.22.21.180] 995 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206657; rev:1;) alert tcp $HOME_NET any -> [5.196.201.100] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206658; rev:1;) alert tcp $HOME_NET any -> [78.190.54.45] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206659; rev:1;) alert tcp $HOME_NET any -> [190.138.249.45] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206660; rev:1;) alert tcp $HOME_NET any -> [201.232.32.124] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206661; rev:1;) alert tcp $HOME_NET any -> [24.119.14.82] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206662; rev:1;) alert tcp $HOME_NET any -> [74.5.136.50] 990 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206663; rev:1;) alert tcp $HOME_NET any -> [116.108.114.214] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206664; rev:1;) alert tcp $HOME_NET any -> [70.48.48.240] 2222 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206665; rev:1;) alert tcp $HOME_NET any -> [178.32.107.190] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206666; rev:1;) alert tcp $HOME_NET any -> [124.171.125.94] 2222 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206667; rev:1;) alert tcp $HOME_NET any -> [73.26.63.118] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206668; rev:1;) alert tcp $HOME_NET any -> [50.102.69.43] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206669; rev:1;) alert tcp $HOME_NET any -> [217.13.119.81] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206670; rev:1;) alert tcp $HOME_NET any -> [179.49.120.5] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206671; rev:1;) alert tcp $HOME_NET any -> [8.8.247.90] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206672; rev:1;) alert tcp $HOME_NET any -> [198.167.136.139] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206673; rev:1;) alert tcp $HOME_NET any -> [122.174.13.63] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206674; rev:1;) alert tcp $HOME_NET any -> [27.111.40.234] 3443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206675; rev:1;) alert tcp $HOME_NET any -> [190.99.143.23] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206676; rev:1;) alert tcp $HOME_NET any -> [76.74.178.144] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206677; rev:1;) alert tcp $HOME_NET any -> [185.181.9.40] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206678; rev:1;) alert tcp $HOME_NET any -> [91.227.18.48] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206679; rev:1;) alert tcp $HOME_NET any -> [200.120.214.150] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206680; rev:1;) alert tcp $HOME_NET any -> [54.164.51.39] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206681; rev:1;) alert tcp $HOME_NET any -> [144.217.33.200] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206682; rev:1;) alert tcp $HOME_NET any -> [95.59.26.137] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206683; rev:1;) alert tcp $HOME_NET any -> [85.104.229.104] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206684; rev:1;) alert tcp $HOME_NET any -> [5.107.46.130] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206685; rev:1;) alert tcp $HOME_NET any -> [154.16.159.122] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206686; rev:1;) alert tcp $HOME_NET any -> [46.173.219.212] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206687; rev:1;) alert tcp $HOME_NET any -> [136.243.87.113] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206688; rev:1;) alert tcp $HOME_NET any -> [85.101.189.216] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206689; rev:1;) alert tcp $HOME_NET any -> [185.181.10.30] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206690; rev:1;) alert tcp $HOME_NET any -> [195.123.212.86] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206691; rev:1;) alert tcp $HOME_NET any -> [23.239.85.14] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206692; rev:1;) alert tcp $HOME_NET any -> [186.119.35.127] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206693; rev:1;) alert tcp $HOME_NET any -> [2.190.245.212] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206694; rev:1;) alert tcp $HOME_NET any -> [190.99.183.77] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206695; rev:1;) alert tcp $HOME_NET any -> [191.109.33.76] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206696; rev:1;) alert tcp $HOME_NET any -> [125.26.255.230] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206697; rev:1;) alert tcp $HOME_NET any -> [103.28.71.118] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206698; rev:1;) alert tcp $HOME_NET any -> [188.127.237.70] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206699; rev:1;) alert tcp $HOME_NET any -> [190.254.235.168] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206700; rev:1;) alert tcp $HOME_NET any -> [52.70.122.231] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206701; rev:1;) alert tcp $HOME_NET any -> [159.226.92.9] 4431 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206702; rev:1;) alert tcp $HOME_NET any -> [101.201.67.82] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206703; rev:1;) alert tcp $HOME_NET any -> [47.18.17.114] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206704; rev:1;) alert tcp $HOME_NET any -> [185.31.209.41] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206705; rev:1;) alert tcp $HOME_NET any -> [178.250.243.146] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206706; rev:1;) alert tcp $HOME_NET any -> [185.146.1.36] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206707; rev:1;) alert tcp $HOME_NET any -> [82.30.148.143] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206708; rev:1;) alert tcp $HOME_NET any -> [81.130.206.62] 8443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206709; rev:1;) alert tcp $HOME_NET any -> [80.90.203.245] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206710; rev:1;) alert tcp $HOME_NET any -> [5.101.120.73] 8343 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206711; rev:1;) alert tcp $HOME_NET any -> [117.220.210.235] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206712; rev:1;) alert tcp $HOME_NET any -> [188.127.249.70] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206713; rev:1;) alert tcp $HOME_NET any -> [136.243.209.34] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206714; rev:1;) alert tcp $HOME_NET any -> [103.17.72.238] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206715; rev:1;) alert tcp $HOME_NET any -> [170.81.24.154] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206716; rev:1;) alert tcp $HOME_NET any -> [5.107.29.149] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206717; rev:1;) alert tcp $HOME_NET any -> [212.116.113.184] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206718; rev:1;) alert tcp $HOME_NET any -> [91.121.30.169] 4431 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206719; rev:1;) alert tcp $HOME_NET any -> [194.190.161.63] 1503 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206720; rev:1;) alert tcp $HOME_NET any -> [51.254.129.140] 4443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206721; rev:1;) alert tcp $HOME_NET any -> [188.226.154.38] 2221 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206722; rev:1;) alert tcp $HOME_NET any -> [186.115.225.54] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206723; rev:1;) alert tcp $HOME_NET any -> [146.185.243.51] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206724; rev:1;) alert tcp $HOME_NET any -> [52.33.54.94] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206725; rev:1;) alert tcp $HOME_NET any -> [176.31.252.15] 443 (msg:"SSLBL: Traffic to malicious host (likely Nexuslogger C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206726; rev:1;) alert tcp $HOME_NET any -> [194.58.122.43] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206727; rev:1;) alert tcp $HOME_NET any -> [151.248.121.8] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206728; rev:1;) alert tcp $HOME_NET any -> [178.208.81.147] 443 (msg:"SSLBL: Traffic to malicious host (likely FindPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206729; rev:1;) alert tcp $HOME_NET any -> [213.25.134.101] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206730; rev:1;) alert tcp $HOME_NET any -> [186.27.132.164] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206731; rev:1;) alert tcp $HOME_NET any -> [185.156.179.96] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206732; rev:1;) alert tcp $HOME_NET any -> [69.61.83.121] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206733; rev:1;) alert tcp $HOME_NET any -> [194.150.118.25] 3101 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206734; rev:1;) alert tcp $HOME_NET any -> [209.20.67.87] 5353 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206735; rev:1;) alert tcp $HOME_NET any -> [109.235.76.95] 1843 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206736; rev:1;) alert tcp $HOME_NET any -> [31.184.198.27] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206737; rev:1;) alert tcp $HOME_NET any -> [62.221.97.151] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206738; rev:1;) alert tcp $HOME_NET any -> [217.29.220.255] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206739; rev:1;) alert tcp $HOME_NET any -> [144.76.2.182] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206740; rev:1;) alert tcp $HOME_NET any -> [191.113.180.68] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206741; rev:1;) alert tcp $HOME_NET any -> [88.202.188.35] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206742; rev:1;) alert tcp $HOME_NET any -> [193.238.152.198] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206743; rev:1;) alert tcp $HOME_NET any -> [190.68.232.25] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206744; rev:1;) alert tcp $HOME_NET any -> [93.113.131.123] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206745; rev:1;) alert tcp $HOME_NET any -> [79.137.13.22] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206746; rev:1;) alert tcp $HOME_NET any -> [216.55.182.20] 4431 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206747; rev:1;) alert tcp $HOME_NET any -> [114.215.223.85] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206748; rev:1;) alert tcp $HOME_NET any -> [81.130.131.55] 8443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206749; rev:1;) alert tcp $HOME_NET any -> [84.234.75.108] 4431 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206750; rev:1;) alert tcp $HOME_NET any -> [68.169.45.193] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206751; rev:1;) alert tcp $HOME_NET any -> [62.109.2.195] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206752; rev:1;) alert tcp $HOME_NET any -> [31.31.168.26] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206753; rev:1;) alert tcp $HOME_NET any -> [212.227.105.182] 8343 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206754; rev:1;) alert tcp $HOME_NET any -> [192.111.142.39] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206755; rev:1;) alert tcp $HOME_NET any -> [209.20.67.87] 4432 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206756; rev:1;) alert tcp $HOME_NET any -> [86.120.81.103] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206757; rev:1;) alert tcp $HOME_NET any -> [173.212.200.226] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206758; rev:1;) alert tcp $HOME_NET any -> [31.13.163.72] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206759; rev:1;) alert tcp $HOME_NET any -> [107.182.236.109] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206760; rev:1;) alert tcp $HOME_NET any -> [46.72.12.164] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206761; rev:1;) alert tcp $HOME_NET any -> [93.119.123.134] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206762; rev:1;) alert tcp $HOME_NET any -> [5.239.214.127] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206763; rev:1;) alert tcp $HOME_NET any -> [91.217.90.128] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206764; rev:1;) alert tcp $HOME_NET any -> [186.115.48.68] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206765; rev:1;) alert tcp $HOME_NET any -> [188.227.17.6] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206766; rev:1;) alert tcp $HOME_NET any -> [154.0.171.105] 8443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206767; rev:1;) alert tcp $HOME_NET any -> [77.236.97.60] 4433 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206768; rev:1;) alert tcp $HOME_NET any -> [188.227.173.38] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206769; rev:1;) alert tcp $HOME_NET any -> [82.99.60.26] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206770; rev:1;) alert tcp $HOME_NET any -> [185.77.131.102] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206771; rev:1;) alert tcp $HOME_NET any -> [185.15.185.209] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206772; rev:1;) alert tcp $HOME_NET any -> [5.196.129.108] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206773; rev:1;) alert tcp $HOME_NET any -> [94.177.189.240] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206774; rev:1;) alert tcp $HOME_NET any -> [186.27.188.184] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206775; rev:1;) alert tcp $HOME_NET any -> [220.233.135.250] 8443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206776; rev:1;) alert tcp $HOME_NET any -> [23.94.38.151] 4431 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206777; rev:1;) alert tcp $HOME_NET any -> [193.204.38.28] 4431 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206778; rev:1;) alert tcp $HOME_NET any -> [81.147.99.122] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206779; rev:1;) alert tcp $HOME_NET any -> [186.113.121.138] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206780; rev:1;) alert tcp $HOME_NET any -> [5.249.154.143] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206781; rev:1;) alert tcp $HOME_NET any -> [179.33.92.17] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206782; rev:1;) alert tcp $HOME_NET any -> [92.96.1.58] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206783; rev:1;) alert tcp $HOME_NET any -> [51.254.39.113] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206784; rev:1;) alert tcp $HOME_NET any -> [95.81.78.201] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206785; rev:1;) alert tcp $HOME_NET any -> [46.11.36.216] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206786; rev:1;) alert tcp $HOME_NET any -> [45.55.86.6] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206787; rev:1;) alert tcp $HOME_NET any -> [222.254.22.64] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206788; rev:1;) alert tcp $HOME_NET any -> [186.118.237.18] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206789; rev:1;) alert tcp $HOME_NET any -> [114.37.52.2] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206790; rev:1;) alert tcp $HOME_NET any -> [31.31.9.153] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206791; rev:1;) alert tcp $HOME_NET any -> [5.188.232.10] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206792; rev:1;) alert tcp $HOME_NET any -> [179.32.98.86] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206793; rev:1;) alert tcp $HOME_NET any -> [89.46.78.221] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206794; rev:1;) alert tcp $HOME_NET any -> [85.85.138.188] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206795; rev:1;) alert tcp $HOME_NET any -> [80.112.73.129] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206796; rev:1;) alert tcp $HOME_NET any -> [92.222.129.145] 4431 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206797; rev:1;) alert tcp $HOME_NET any -> [85.214.91.74] 4431 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206798; rev:1;) alert tcp $HOME_NET any -> [91.103.2.132] 4431 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206799; rev:1;) alert tcp $HOME_NET any -> [94.177.175.55] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206800; rev:1;) alert tcp $HOME_NET any -> [91.221.37.6] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206801; rev:1;) alert tcp $HOME_NET any -> [93.132.4.208] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206802; rev:1;) alert tcp $HOME_NET any -> [23.227.201.27] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206803; rev:1;) alert tcp $HOME_NET any -> [190.99.185.101] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206804; rev:1;) alert tcp $HOME_NET any -> [93.189.43.164] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206805; rev:1;) alert tcp $HOME_NET any -> [82.196.5.27] 8343 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206806; rev:1;) alert tcp $HOME_NET any -> [207.35.75.110] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206807; rev:1;) alert tcp $HOME_NET any -> [186.170.104.105] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206808; rev:1;) alert tcp $HOME_NET any -> [89.223.26.112] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206809; rev:1;) alert tcp $HOME_NET any -> [188.120.230.245] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206810; rev:1;) alert tcp $HOME_NET any -> [185.101.94.187] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206811; rev:1;) alert tcp $HOME_NET any -> [192.188.58.163] 4431 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206812; rev:1;) alert tcp $HOME_NET any -> [69.43.168.214] 8343 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206813; rev:1;) alert tcp $HOME_NET any -> [109.74.9.119] 4431 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206814; rev:1;) alert tcp $HOME_NET any -> [203.153.165.21] 8343 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206815; rev:1;) alert tcp $HOME_NET any -> [77.81.107.193] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206816; rev:1;) alert tcp $HOME_NET any -> [77.246.149.92] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206817; rev:1;) alert tcp $HOME_NET any -> [86.105.212.26] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206818; rev:1;) alert tcp $HOME_NET any -> [176.9.238.164] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206819; rev:1;) alert tcp $HOME_NET any -> [74.63.209.174] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206820; rev:1;) alert tcp $HOME_NET any -> [188.68.50.34] 4431 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206821; rev:1;) alert tcp $HOME_NET any -> [212.200.111.170] 4431 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206822; rev:1;) alert tcp $HOME_NET any -> [71.6.155.196] 4431 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206823; rev:1;) alert tcp $HOME_NET any -> [149.56.201.67] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206824; rev:1;) alert tcp $HOME_NET any -> [83.54.108.164] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206825; rev:1;) alert tcp $HOME_NET any -> [68.232.180.122] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206826; rev:1;) alert tcp $HOME_NET any -> [201.236.219.180] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206827; rev:1;) alert tcp $HOME_NET any -> [185.48.56.205] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206828; rev:1;) alert tcp $HOME_NET any -> [109.248.222.180] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206829; rev:1;) alert tcp $HOME_NET any -> [184.105.192.2] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206830; rev:1;) alert tcp $HOME_NET any -> [216.126.199.179] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206831; rev:1;) alert tcp $HOME_NET any -> [78.155.218.234] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206832; rev:1;) alert tcp $HOME_NET any -> [91.235.129.199] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206833; rev:1;) alert tcp $HOME_NET any -> [62.76.189.215] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206834; rev:1;) alert tcp $HOME_NET any -> [90.63.214.213] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206835; rev:1;) alert tcp $HOME_NET any -> [88.99.80.51] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206836; rev:1;) alert tcp $HOME_NET any -> [209.95.52.140] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206837; rev:1;) alert tcp $HOME_NET any -> [54.213.4.206] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206838; rev:1;) alert tcp $HOME_NET any -> [5.199.129.213] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206839; rev:1;) alert tcp $HOME_NET any -> [185.62.39.171] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206840; rev:1;) alert tcp $HOME_NET any -> [179.33.157.217] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206841; rev:1;) alert tcp $HOME_NET any -> [216.127.161.5] 53443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206842; rev:1;) alert tcp $HOME_NET any -> [192.241.236.239] 8343 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206843; rev:1;) alert tcp $HOME_NET any -> [93.189.43.28] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206844; rev:1;) alert tcp $HOME_NET any -> [161.18.42.190] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206845; rev:1;) alert tcp $HOME_NET any -> [167.88.8.189] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206846; rev:1;) alert tcp $HOME_NET any -> [176.114.3.48] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206847; rev:1;) alert tcp $HOME_NET any -> [185.117.72.11] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206848; rev:1;) alert tcp $HOME_NET any -> [178.218.214.138] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206849; rev:1;) alert tcp $HOME_NET any -> [89.248.170.232] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206850; rev:1;) alert tcp $HOME_NET any -> [79.100.73.20] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206851; rev:1;) alert tcp $HOME_NET any -> [89.36.216.204] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206852; rev:1;) alert tcp $HOME_NET any -> [85.25.236.32] 40443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206853; rev:1;) alert tcp $HOME_NET any -> [188.120.249.30] 4431 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206854; rev:1;) alert tcp $HOME_NET any -> [77.111.90.85] 18443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206855; rev:1;) alert tcp $HOME_NET any -> [185.118.66.80] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206856; rev:1;) alert tcp $HOME_NET any -> [192.3.21.24] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206857; rev:1;) alert tcp $HOME_NET any -> [31.24.30.182] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206858; rev:1;) alert tcp $HOME_NET any -> [94.177.229.198] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206859; rev:1;) alert tcp $HOME_NET any -> [192.189.25.148] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206860; rev:1;) alert tcp $HOME_NET any -> [144.217.47.3] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206861; rev:1;) alert tcp $HOME_NET any -> [104.222.145.137] 1805 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206862; rev:1;) alert tcp $HOME_NET any -> [85.143.210.193] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206863; rev:1;) alert tcp $HOME_NET any -> [178.218.78.15] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206864; rev:1;) alert tcp $HOME_NET any -> [216.218.208.114] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206865; rev:1;) alert tcp $HOME_NET any -> [192.189.25.143] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206866; rev:1;) alert tcp $HOME_NET any -> [179.60.147.99] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206867; rev:1;) alert tcp $HOME_NET any -> [95.46.44.35] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206868; rev:1;) alert tcp $HOME_NET any -> [5.149.249.178] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206869; rev:1;) alert tcp $HOME_NET any -> [154.16.245.154] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206870; rev:1;) alert tcp $HOME_NET any -> [185.15.245.114] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206871; rev:1;) alert tcp $HOME_NET any -> [172.245.62.117] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206872; rev:1;) alert tcp $HOME_NET any -> [188.127.237.245] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206873; rev:1;) alert tcp $HOME_NET any -> [151.242.20.227] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206874; rev:1;) alert tcp $HOME_NET any -> [89.40.124.71] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206875; rev:1;) alert tcp $HOME_NET any -> [198.24.151.214] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206876; rev:1;) alert tcp $HOME_NET any -> [184.18.128.137] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206877; rev:1;) alert tcp $HOME_NET any -> [195.133.144.94] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206878; rev:1;) alert tcp $HOME_NET any -> [62.109.6.44] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206879; rev:1;) alert tcp $HOME_NET any -> [77.246.144.227] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206880; rev:1;) alert tcp $HOME_NET any -> [36.37.176.6] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206881; rev:1;) alert tcp $HOME_NET any -> [88.246.171.125] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206882; rev:1;) alert tcp $HOME_NET any -> [185.141.25.220] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206883; rev:1;) alert tcp $HOME_NET any -> [107.171.180.198] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206884; rev:1;) alert tcp $HOME_NET any -> [192.189.25.142] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206885; rev:1;) alert tcp $HOME_NET any -> [62.109.12.173] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206886; rev:1;) alert tcp $HOME_NET any -> [87.98.163.119] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206887; rev:1;) alert tcp $HOME_NET any -> [185.62.189.83] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206888; rev:1;) alert tcp $HOME_NET any -> [2.89.220.124] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206889; rev:1;) alert tcp $HOME_NET any -> [185.17.120.166] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206890; rev:1;) alert tcp $HOME_NET any -> [185.25.50.12] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206891; rev:1;) alert tcp $HOME_NET any -> [91.134.123.102] 443 (msg:"SSLBL: Traffic to malicious host (likely Flokibot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206892; rev:1;) alert tcp $HOME_NET any -> [178.159.38.42] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206893; rev:1;) alert tcp $HOME_NET any -> [146.148.124.166] 443 (msg:"SSLBL: Traffic to malicious host (likely Sinkhole traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206894; rev:1;) alert tcp $HOME_NET any -> [104.223.21.3] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206895; rev:1;) alert tcp $HOME_NET any -> [185.15.208.238] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206896; rev:1;) alert tcp $HOME_NET any -> [83.220.168.42] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206897; rev:1;) alert tcp $HOME_NET any -> [89.46.73.127] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206898; rev:1;) alert tcp $HOME_NET any -> [71.228.17.79] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206899; rev:1;) alert tcp $HOME_NET any -> [77.246.158.191] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206900; rev:1;) alert tcp $HOME_NET any -> [37.1.213.189] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206901; rev:1;) alert tcp $HOME_NET any -> [146.120.110.163] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206902; rev:1;) alert tcp $HOME_NET any -> [188.214.179.241] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206903; rev:1;) alert tcp $HOME_NET any -> [72.249.144.95] 8343 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206904; rev:1;) alert tcp $HOME_NET any -> [193.28.179.165] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206905; rev:1;) alert tcp $HOME_NET any -> [178.128.197.167] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206906; rev:1;) alert tcp $HOME_NET any -> [185.25.50.107] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206907; rev:1;) alert tcp $HOME_NET any -> [62.109.13.10] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206908; rev:1;) alert tcp $HOME_NET any -> [195.123.211.126] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206909; rev:1;) alert tcp $HOME_NET any -> [89.40.127.231] 80 (msg:"SSLBL: Traffic to malicious host (likely Tuhkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206910; rev:1;) alert tcp $HOME_NET any -> [62.76.190.162] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206911; rev:1;) alert tcp $HOME_NET any -> [161.139.21.48] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206912; rev:1;) alert tcp $HOME_NET any -> [193.28.179.163] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206913; rev:1;) alert tcp $HOME_NET any -> [62.109.13.55] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206914; rev:1;) alert tcp $HOME_NET any -> [41.188.91.188] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206915; rev:1;) alert tcp $HOME_NET any -> [185.31.208.248] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206916; rev:1;) alert tcp $HOME_NET any -> [188.126.72.179] 12443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206917; rev:1;) alert tcp $HOME_NET any -> [166.78.144.68] 8343 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206918; rev:1;) alert tcp $HOME_NET any -> [174.37.216.226] 8343 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206919; rev:1;) alert tcp $HOME_NET any -> [185.125.32.118] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206920; rev:1;) alert tcp $HOME_NET any -> [193.107.111.164] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206921; rev:1;) alert tcp $HOME_NET any -> [81.177.13.236] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206922; rev:1;) alert tcp $HOME_NET any -> [116.100.211.197] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206923; rev:1;) alert tcp $HOME_NET any -> [83.20.96.160] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206924; rev:1;) alert tcp $HOME_NET any -> [137.74.194.227] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206925; rev:1;) alert tcp $HOME_NET any -> [82.146.32.87] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206926; rev:1;) alert tcp $HOME_NET any -> [54.235.86.173] 13443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206927; rev:1;) alert tcp $HOME_NET any -> [149.210.158.54] 53443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206928; rev:1;) alert tcp $HOME_NET any -> [62.109.13.69] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206929; rev:1;) alert tcp $HOME_NET any -> [62.109.13.25] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206930; rev:1;) alert tcp $HOME_NET any -> [94.23.169.75] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206931; rev:1;) alert tcp $HOME_NET any -> [62.76.189.48] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206932; rev:1;) alert tcp $HOME_NET any -> [96.9.244.10] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206933; rev:1;) alert tcp $HOME_NET any -> [78.8.109.89] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206934; rev:1;) alert tcp $HOME_NET any -> [76.69.91.161] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206935; rev:1;) alert tcp $HOME_NET any -> [193.136.97.4] 13443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206936; rev:1;) alert tcp $HOME_NET any -> [93.122.165.54] 18443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206937; rev:1;) alert tcp $HOME_NET any -> [87.254.45.29] 40443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206938; rev:1;) alert tcp $HOME_NET any -> [94.177.247.74] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206939; rev:1;) alert tcp $HOME_NET any -> [79.129.123.204] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206940; rev:1;) alert tcp $HOME_NET any -> [122.164.197.0] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206941; rev:1;) alert tcp $HOME_NET any -> [5.187.0.177] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206942; rev:1;) alert tcp $HOME_NET any -> [93.170.104.146] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206943; rev:1;) alert tcp $HOME_NET any -> [93.170.104.146] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206944; rev:1;) alert tcp $HOME_NET any -> [94.242.54.46] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206945; rev:1;) alert tcp $HOME_NET any -> [87.236.215.21] 443 (msg:"SSLBL: Traffic to malicious host (likely Sofacy C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206946; rev:1;) alert tcp $HOME_NET any -> [185.117.73.207] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206947; rev:1;) alert tcp $HOME_NET any -> [91.240.84.90] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206948; rev:1;) alert tcp $HOME_NET any -> [93.189.43.99] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206949; rev:1;) alert tcp $HOME_NET any -> [96.9.244.114] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206950; rev:1;) alert tcp $HOME_NET any -> [91.230.60.201] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206951; rev:1;) alert tcp $HOME_NET any -> [185.51.246.38] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206952; rev:1;) alert tcp $HOME_NET any -> [91.107.109.154] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206953; rev:1;) alert tcp $HOME_NET any -> [185.82.202.173] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206954; rev:1;) alert tcp $HOME_NET any -> [185.36.102.51] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206955; rev:1;) alert tcp $HOME_NET any -> [146.185.254.45] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206956; rev:1;) alert tcp $HOME_NET any -> [85.17.82.122] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206957; rev:1;) alert tcp $HOME_NET any -> [31.184.196.81] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206958; rev:1;) alert tcp $HOME_NET any -> [31.222.167.245] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206959; rev:1;) alert tcp $HOME_NET any -> [167.114.248.76] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206960; rev:1;) alert tcp $HOME_NET any -> [188.120.248.192] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206961; rev:1;) alert tcp $HOME_NET any -> [109.248.32.176] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206962; rev:1;) alert tcp $HOME_NET any -> [43.225.58.212] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206963; rev:1;) alert tcp $HOME_NET any -> [23.108.245.93] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206964; rev:1;) alert tcp $HOME_NET any -> [213.230.210.230] 53443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206965; rev:1;) alert tcp $HOME_NET any -> [91.203.5.176] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206966; rev:1;) alert tcp $HOME_NET any -> [151.248.123.176] 443 (msg:"SSLBL: Traffic to malicious host (likely Flokibot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206967; rev:1;) alert tcp $HOME_NET any -> [91.220.131.78] 50007 (msg:"SSLBL: Traffic to malicious host (likely Send-Safe C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206968; rev:1;) alert tcp $HOME_NET any -> [46.105.218.106] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206969; rev:1;) alert tcp $HOME_NET any -> [185.75.46.13] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206970; rev:1;) alert tcp $HOME_NET any -> [192.157.228.220] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206971; rev:1;) alert tcp $HOME_NET any -> [197.27.36.50] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206972; rev:1;) alert tcp $HOME_NET any -> [162.243.47.192] 1443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206973; rev:1;) alert tcp $HOME_NET any -> [210.2.86.72] 3443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206974; rev:1;) alert tcp $HOME_NET any -> [193.28.179.153] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206975; rev:1;) alert tcp $HOME_NET any -> [46.161.40.101] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206976; rev:1;) alert tcp $HOME_NET any -> [88.212.220.119] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206977; rev:1;) alert tcp $HOME_NET any -> [77.246.145.69] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206978; rev:1;) alert tcp $HOME_NET any -> [105.228.99.40] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206979; rev:1;) alert tcp $HOME_NET any -> [83.217.11.179] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206980; rev:1;) alert tcp $HOME_NET any -> [185.106.122.139] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206981; rev:1;) alert tcp $HOME_NET any -> [187.199.114.3] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206982; rev:1;) alert tcp $HOME_NET any -> [192.3.111.51] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206983; rev:1;) alert tcp $HOME_NET any -> [83.220.174.41] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206984; rev:1;) alert tcp $HOME_NET any -> [91.121.238.200] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206985; rev:1;) alert tcp $HOME_NET any -> [78.153.149.52] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206986; rev:1;) alert tcp $HOME_NET any -> [149.154.71.223] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206987; rev:1;) alert tcp $HOME_NET any -> [198.20.239.21] 4453 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206988; rev:1;) alert tcp $HOME_NET any -> [46.101.10.156] 53443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206989; rev:1;) alert tcp $HOME_NET any -> [120.138.18.110] 53443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206990; rev:1;) alert tcp $HOME_NET any -> [46.229.58.234] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206991; rev:1;) alert tcp $HOME_NET any -> [110.164.205.225] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206992; rev:1;) alert tcp $HOME_NET any -> [182.72.222.14] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206993; rev:1;) alert tcp $HOME_NET any -> [82.77.104.71] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206994; rev:1;) alert tcp $HOME_NET any -> [178.149.68.20] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206995; rev:1;) alert tcp $HOME_NET any -> [2.176.118.127] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206996; rev:1;) alert tcp $HOME_NET any -> [23.94.93.109] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206997; rev:1;) alert tcp $HOME_NET any -> [138.201.69.137] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206998; rev:1;) alert tcp $HOME_NET any -> [89.108.76.212] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905206999; rev:1;) alert tcp $HOME_NET any -> [189.1.172.49] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207000; rev:1;) alert tcp $HOME_NET any -> [190.123.45.112] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207001; rev:1;) alert tcp $HOME_NET any -> [103.199.16.56] 443 (msg:"SSLBL: Traffic to malicious host (likely Shifu C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207002; rev:1;) alert tcp $HOME_NET any -> [92.222.219.26] 53443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207003; rev:1;) alert tcp $HOME_NET any -> [37.48.106.49] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207004; rev:1;) alert tcp $HOME_NET any -> [88.214.236.47] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207005; rev:1;) alert tcp $HOME_NET any -> [91.244.19.186] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207006; rev:1;) alert tcp $HOME_NET any -> [93.171.202.188] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207007; rev:1;) alert tcp $HOME_NET any -> [188.120.248.28] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207008; rev:1;) alert tcp $HOME_NET any -> [89.108.79.217] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207009; rev:1;) alert tcp $HOME_NET any -> [92.63.110.69] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207010; rev:1;) alert tcp $HOME_NET any -> [212.8.245.68] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207011; rev:1;) alert tcp $HOME_NET any -> [82.146.36.87] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207012; rev:1;) alert tcp $HOME_NET any -> [91.134.199.231] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207013; rev:1;) alert tcp $HOME_NET any -> [193.9.28.24] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207014; rev:1;) alert tcp $HOME_NET any -> [94.177.225.23] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207015; rev:1;) alert tcp $HOME_NET any -> [96.9.244.115] 555 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207016; rev:1;) alert tcp $HOME_NET any -> [5.39.47.12] 443 (msg:"SSLBL: Traffic to malicious host (likely FindPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207017; rev:1;) alert tcp $HOME_NET any -> [185.153.198.34] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207018; rev:1;) alert tcp $HOME_NET any -> [194.1.236.149] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207019; rev:1;) alert tcp $HOME_NET any -> [78.155.217.154] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207020; rev:1;) alert tcp $HOME_NET any -> [91.220.131.174] 50007 (msg:"SSLBL: Traffic to malicious host (likely Send-Safe C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207021; rev:1;) alert tcp $HOME_NET any -> [189.49.185.126] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207022; rev:1;) alert tcp $HOME_NET any -> [185.40.152.22] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207023; rev:1;) alert tcp $HOME_NET any -> [185.26.120.70] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207024; rev:1;) alert tcp $HOME_NET any -> [31.184.233.105] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207025; rev:1;) alert tcp $HOME_NET any -> [92.63.111.178] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207026; rev:1;) alert tcp $HOME_NET any -> [52.77.110.77] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207027; rev:1;) alert tcp $HOME_NET any -> [185.48.56.220] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207028; rev:1;) alert tcp $HOME_NET any -> [46.38.52.233] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207029; rev:1;) alert tcp $HOME_NET any -> [91.240.87.25] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207030; rev:1;) alert tcp $HOME_NET any -> [195.123.209.94] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207031; rev:1;) alert tcp $HOME_NET any -> [95.213.139.101] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207032; rev:1;) alert tcp $HOME_NET any -> [85.143.209.126] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207033; rev:1;) alert tcp $HOME_NET any -> [185.155.96.110] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207034; rev:1;) alert tcp $HOME_NET any -> [185.118.166.73] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207035; rev:1;) alert tcp $HOME_NET any -> [88.214.207.43] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207036; rev:1;) alert tcp $HOME_NET any -> [79.110.251.102] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207037; rev:1;) alert tcp $HOME_NET any -> [173.89.28.70] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207038; rev:1;) alert tcp $HOME_NET any -> [91.221.37.164] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207039; rev:1;) alert tcp $HOME_NET any -> [31.43.41.51] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207040; rev:1;) alert tcp $HOME_NET any -> [37.48.106.50] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207041; rev:1;) alert tcp $HOME_NET any -> [91.200.14.81] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207042; rev:1;) alert tcp $HOME_NET any -> [212.116.113.163] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207043; rev:1;) alert tcp $HOME_NET any -> [23.253.210.81] 53443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207044; rev:1;) alert tcp $HOME_NET any -> [185.15.208.195] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207045; rev:1;) alert tcp $HOME_NET any -> [195.28.183.57] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207046; rev:1;) alert tcp $HOME_NET any -> [85.17.82.104] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207047; rev:1;) alert tcp $HOME_NET any -> [45.32.157.168] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207048; rev:1;) alert tcp $HOME_NET any -> [62.108.36.240] 53443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207049; rev:1;) alert tcp $HOME_NET any -> [132.248.49.100] 53443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207050; rev:1;) alert tcp $HOME_NET any -> [148.251.46.169] 53443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207051; rev:1;) alert tcp $HOME_NET any -> [31.220.56.32] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207052; rev:1;) alert tcp $HOME_NET any -> [92.222.251.251] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207053; rev:1;) alert tcp $HOME_NET any -> [43.239.221.51] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207054; rev:1;) alert tcp $HOME_NET any -> [62.75.195.117] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207055; rev:1;) alert tcp $HOME_NET any -> [190.161.133.235] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207056; rev:1;) alert tcp $HOME_NET any -> [188.246.91.173] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207057; rev:1;) alert tcp $HOME_NET any -> [78.108.87.155] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207058; rev:1;) alert tcp $HOME_NET any -> [61.252.138.115] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207059; rev:1;) alert tcp $HOME_NET any -> [74.50.56.162] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207060; rev:1;) alert tcp $HOME_NET any -> [185.82.216.58] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207061; rev:1;) alert tcp $HOME_NET any -> [185.80.53.96] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207062; rev:1;) alert tcp $HOME_NET any -> [151.237.6.68] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207063; rev:1;) alert tcp $HOME_NET any -> [45.124.51.3] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207064; rev:1;) alert tcp $HOME_NET any -> [51.255.157.186] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207065; rev:1;) alert tcp $HOME_NET any -> [109.234.38.37] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207066; rev:1;) alert tcp $HOME_NET any -> [186.176.140.17] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207067; rev:1;) alert tcp $HOME_NET any -> [24.217.71.115] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207068; rev:1;) alert tcp $HOME_NET any -> [107.191.119.162] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207069; rev:1;) alert tcp $HOME_NET any -> [81.177.13.242] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207070; rev:1;) alert tcp $HOME_NET any -> [93.171.202.162] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207071; rev:1;) alert tcp $HOME_NET any -> [137.74.199.27] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207072; rev:1;) alert tcp $HOME_NET any -> [185.158.152.179] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207073; rev:1;) alert tcp $HOME_NET any -> [204.145.94.123] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207074; rev:1;) alert tcp $HOME_NET any -> [45.51.17.196] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207075; rev:1;) alert tcp $HOME_NET any -> [185.117.75.53] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207076; rev:1;) alert tcp $HOME_NET any -> [95.47.161.41] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207077; rev:1;) alert tcp $HOME_NET any -> [198.101.12.57] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207078; rev:1;) alert tcp $HOME_NET any -> [50.57.75.172] 53443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207079; rev:1;) alert tcp $HOME_NET any -> [130.88.149.87] 53443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207080; rev:1;) alert tcp $HOME_NET any -> [178.250.244.23] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207081; rev:1;) alert tcp $HOME_NET any -> [95.46.98.89] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207082; rev:1;) alert tcp $HOME_NET any -> [192.157.241.136] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207083; rev:1;) alert tcp $HOME_NET any -> [178.21.14.193] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207084; rev:1;) alert tcp $HOME_NET any -> [148.251.222.143] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207085; rev:1;) alert tcp $HOME_NET any -> [84.76.246.49] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207086; rev:1;) alert tcp $HOME_NET any -> [91.227.18.22] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207087; rev:1;) alert tcp $HOME_NET any -> [86.98.46.164] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207088; rev:1;) alert tcp $HOME_NET any -> [37.46.128.233] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207089; rev:1;) alert tcp $HOME_NET any -> [95.46.99.21] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207090; rev:1;) alert tcp $HOME_NET any -> [66.85.27.108] 443 (msg:"SSLBL: Traffic to malicious host (likely RockLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207091; rev:1;) alert tcp $HOME_NET any -> [85.143.213.16] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207092; rev:1;) alert tcp $HOME_NET any -> [109.104.92.167] 13443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207093; rev:1;) alert tcp $HOME_NET any -> [216.126.225.149] 443 (msg:"SSLBL: Traffic to malicious host (likely RockLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207094; rev:1;) alert tcp $HOME_NET any -> [185.26.120.36] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207095; rev:1;) alert tcp $HOME_NET any -> [74.138.174.182] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207096; rev:1;) alert tcp $HOME_NET any -> [176.15.44.120] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207097; rev:1;) alert tcp $HOME_NET any -> [185.141.27.222] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207098; rev:1;) alert tcp $HOME_NET any -> [77.20.137.163] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207099; rev:1;) alert tcp $HOME_NET any -> [91.219.31.12] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207100; rev:1;) alert tcp $HOME_NET any -> [200.52.135.131] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207101; rev:1;) alert tcp $HOME_NET any -> [70.21.194.174] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207102; rev:1;) alert tcp $HOME_NET any -> [95.46.99.149] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207103; rev:1;) alert tcp $HOME_NET any -> [188.2.247.31] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207104; rev:1;) alert tcp $HOME_NET any -> [120.150.250.109] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207105; rev:1;) alert tcp $HOME_NET any -> [2.107.189.230] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207106; rev:1;) alert tcp $HOME_NET any -> [198.98.112.144] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207107; rev:1;) alert tcp $HOME_NET any -> [120.114.184.49] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207108; rev:1;) alert tcp $HOME_NET any -> [180.183.141.122] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207109; rev:1;) alert tcp $HOME_NET any -> [198.61.220.159] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207110; rev:1;) alert tcp $HOME_NET any -> [37.221.210.196] 4434 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207111; rev:1;) alert tcp $HOME_NET any -> [101.51.30.133] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207112; rev:1;) alert tcp $HOME_NET any -> [75.134.205.120] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207113; rev:1;) alert tcp $HOME_NET any -> [5.1.75.220] 443 (msg:"SSLBL: Traffic to malicious host (likely RockLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207114; rev:1;) alert tcp $HOME_NET any -> [109.234.38.4] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207115; rev:1;) alert tcp $HOME_NET any -> [85.214.207.16] 18443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207116; rev:1;) alert tcp $HOME_NET any -> [87.98.132.57] 18443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207117; rev:1;) alert tcp $HOME_NET any -> [210.172.213.117] 18443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207118; rev:1;) alert tcp $HOME_NET any -> [93.158.203.134] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207119; rev:1;) alert tcp $HOME_NET any -> [80.79.114.179] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207120; rev:1;) alert tcp $HOME_NET any -> [24.181.57.181] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207121; rev:1;) alert tcp $HOME_NET any -> [62.75.195.103] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207122; rev:1;) alert tcp $HOME_NET any -> [146.185.254.35] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207123; rev:1;) alert tcp $HOME_NET any -> [85.143.166.99] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207124; rev:1;) alert tcp $HOME_NET any -> [91.235.129.178] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207125; rev:1;) alert tcp $HOME_NET any -> [188.166.10.125] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207126; rev:1;) alert tcp $HOME_NET any -> [207.58.163.118] 4434 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207127; rev:1;) alert tcp $HOME_NET any -> [37.59.8.81] 18443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207128; rev:1;) alert tcp $HOME_NET any -> [2.107.220.42] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207129; rev:1;) alert tcp $HOME_NET any -> [105.227.251.219] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207130; rev:1;) alert tcp $HOME_NET any -> [200.54.180.101] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207131; rev:1;) alert tcp $HOME_NET any -> [5.79.96.33] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207132; rev:1;) alert tcp $HOME_NET any -> [60.162.195.203] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207133; rev:1;) alert tcp $HOME_NET any -> [122.252.225.133] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207134; rev:1;) alert tcp $HOME_NET any -> [93.189.40.175] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207135; rev:1;) alert tcp $HOME_NET any -> [185.22.65.47] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207136; rev:1;) alert tcp $HOME_NET any -> [91.215.154.221] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207137; rev:1;) alert tcp $HOME_NET any -> [199.19.105.103] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207138; rev:1;) alert tcp $HOME_NET any -> [104.131.35.60] 18443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207139; rev:1;) alert tcp $HOME_NET any -> [23.152.0.210] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207140; rev:1;) alert tcp $HOME_NET any -> [185.46.8.214] 443 (msg:"SSLBL: Traffic to malicious host (likely Hancitor C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207141; rev:1;) alert tcp $HOME_NET any -> [217.29.58.167] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207142; rev:1;) alert tcp $HOME_NET any -> [194.67.209.108] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207143; rev:1;) alert tcp $HOME_NET any -> [206.221.181.20] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207144; rev:1;) alert tcp $HOME_NET any -> [86.105.18.173] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207145; rev:1;) alert tcp $HOME_NET any -> [185.40.152.212] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207146; rev:1;) alert tcp $HOME_NET any -> [188.120.243.11] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207147; rev:1;) alert tcp $HOME_NET any -> [185.14.28.107] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207148; rev:1;) alert tcp $HOME_NET any -> [37.230.115.205] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207149; rev:1;) alert tcp $HOME_NET any -> [5.63.152.13] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207150; rev:1;) alert tcp $HOME_NET any -> [109.120.169.94] 18443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207151; rev:1;) alert tcp $HOME_NET any -> [5.157.38.50] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207152; rev:1;) alert tcp $HOME_NET any -> [80.42.164.216] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207153; rev:1;) alert tcp $HOME_NET any -> [83.243.40.81] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207154; rev:1;) alert tcp $HOME_NET any -> [91.203.5.144] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207155; rev:1;) alert tcp $HOME_NET any -> [37.48.90.100] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207156; rev:1;) alert tcp $HOME_NET any -> [81.177.26.146] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207157; rev:1;) alert tcp $HOME_NET any -> [137.74.175.83] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207158; rev:1;) alert tcp $HOME_NET any -> [202.7.59.171] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207159; rev:1;) alert tcp $HOME_NET any -> [194.58.122.128] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207160; rev:1;) alert tcp $HOME_NET any -> [77.246.149.85] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207161; rev:1;) alert tcp $HOME_NET any -> [93.189.43.27] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207162; rev:1;) alert tcp $HOME_NET any -> [91.92.198.228] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207163; rev:1;) alert tcp $HOME_NET any -> [185.26.114.26] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207164; rev:1;) alert tcp $HOME_NET any -> [201.238.232.46] 3443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207165; rev:1;) alert tcp $HOME_NET any -> [205.186.154.79] 13443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207166; rev:1;) alert tcp $HOME_NET any -> [104.153.0.227] 18443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207167; rev:1;) alert tcp $HOME_NET any -> [109.203.117.155] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207168; rev:1;) alert tcp $HOME_NET any -> [165.246.35.197] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207169; rev:1;) alert tcp $HOME_NET any -> [94.156.35.71] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207170; rev:1;) alert tcp $HOME_NET any -> [41.231.53.156] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207171; rev:1;) alert tcp $HOME_NET any -> [31.44.189.100] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207172; rev:1;) alert tcp $HOME_NET any -> [185.93.185.5] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207173; rev:1;) alert tcp $HOME_NET any -> [23.249.164.126] 443 (msg:"SSLBL: Traffic to malicious host (likely RockLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207174; rev:1;) alert tcp $HOME_NET any -> [172.246.126.156] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207175; rev:1;) alert tcp $HOME_NET any -> [217.125.140.215] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207176; rev:1;) alert tcp $HOME_NET any -> [194.1.238.45] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207177; rev:1;) alert tcp $HOME_NET any -> [164.132.221.157] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207178; rev:1;) alert tcp $HOME_NET any -> [185.106.120.104] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207179; rev:1;) alert tcp $HOME_NET any -> [95.175.110.130] 443 (msg:"SSLBL: Traffic to malicious host (likely Downloader.Pony C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207180; rev:1;) alert tcp $HOME_NET any -> [185.36.102.35] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207181; rev:1;) alert tcp $HOME_NET any -> [86.105.18.30] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207182; rev:1;) alert tcp $HOME_NET any -> [104.171.123.15] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207183; rev:1;) alert tcp $HOME_NET any -> [158.255.215.61] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207184; rev:1;) alert tcp $HOME_NET any -> [70.31.61.115] 2222 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207185; rev:1;) alert tcp $HOME_NET any -> [70.30.105.231] 2222 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207186; rev:1;) alert tcp $HOME_NET any -> [212.129.46.156] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207187; rev:1;) alert tcp $HOME_NET any -> [23.110.85.211] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207188; rev:1;) alert tcp $HOME_NET any -> [37.220.3.149] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207189; rev:1;) alert tcp $HOME_NET any -> [188.209.52.101] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207190; rev:1;) alert tcp $HOME_NET any -> [94.156.35.57] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207191; rev:1;) alert tcp $HOME_NET any -> [62.76.184.225] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207192; rev:1;) alert tcp $HOME_NET any -> [27.93.201.99] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207193; rev:1;) alert tcp $HOME_NET any -> [115.90.71.164] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207194; rev:1;) alert tcp $HOME_NET any -> [192.169.7.193] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207195; rev:1;) alert tcp $HOME_NET any -> [91.219.28.77] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207196; rev:1;) alert tcp $HOME_NET any -> [91.121.65.64] 41443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207197; rev:1;) alert tcp $HOME_NET any -> [202.143.148.163] 4113 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207198; rev:1;) alert tcp $HOME_NET any -> [115.124.125.19] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207199; rev:1;) alert tcp $HOME_NET any -> [66.147.107.178] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207200; rev:1;) alert tcp $HOME_NET any -> [188.241.116.163] 11443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207201; rev:1;) alert tcp $HOME_NET any -> [78.47.158.131] 13443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207202; rev:1;) alert tcp $HOME_NET any -> [176.31.75.101] 13443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207203; rev:1;) alert tcp $HOME_NET any -> [31.200.247.82] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207204; rev:1;) alert tcp $HOME_NET any -> [81.177.22.162] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207205; rev:1;) alert tcp $HOME_NET any -> [185.141.27.159] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207206; rev:1;) alert tcp $HOME_NET any -> [152.170.237.47] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207207; rev:1;) alert tcp $HOME_NET any -> [5.79.96.37] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207208; rev:1;) alert tcp $HOME_NET any -> [193.0.178.28] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207209; rev:1;) alert tcp $HOME_NET any -> [108.21.203.155] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207210; rev:1;) alert tcp $HOME_NET any -> [144.208.127.112] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207211; rev:1;) alert tcp $HOME_NET any -> [107.181.19.88] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207212; rev:1;) alert tcp $HOME_NET any -> [112.20.178.110] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207213; rev:1;) alert tcp $HOME_NET any -> [212.231.129.194] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207214; rev:1;) alert tcp $HOME_NET any -> [117.169.20.208] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207215; rev:1;) alert tcp $HOME_NET any -> [5.1.80.127] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207216; rev:1;) alert tcp $HOME_NET any -> [23.229.54.99] 13443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207217; rev:1;) alert tcp $HOME_NET any -> [70.32.97.158] 13443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207218; rev:1;) alert tcp $HOME_NET any -> [51.255.69.127] 13443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207219; rev:1;) alert tcp $HOME_NET any -> [95.183.51.24] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207220; rev:1;) alert tcp $HOME_NET any -> [212.47.223.189] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207221; rev:1;) alert tcp $HOME_NET any -> [46.105.151.247] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207222; rev:1;) alert tcp $HOME_NET any -> [77.42.157.2] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207223; rev:1;) alert tcp $HOME_NET any -> [24.239.157.31] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207224; rev:1;) alert tcp $HOME_NET any -> [66.50.43.163] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207225; rev:1;) alert tcp $HOME_NET any -> [141.10.91.35] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207226; rev:1;) alert tcp $HOME_NET any -> [194.31.59.40] 443 (msg:"SSLBL: Traffic to malicious host (likely RockLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207227; rev:1;) alert tcp $HOME_NET any -> [113.162.5.179] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207228; rev:1;) alert tcp $HOME_NET any -> [164.132.15.78] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207229; rev:1;) alert tcp $HOME_NET any -> [59.144.17.122] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207230; rev:1;) alert tcp $HOME_NET any -> [5.64.243.30] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207231; rev:1;) alert tcp $HOME_NET any -> [184.75.209.98] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207232; rev:1;) alert tcp $HOME_NET any -> [62.76.103.206] 443 (msg:"SSLBL: Traffic to malicious host (likely FindPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207233; rev:1;) alert tcp $HOME_NET any -> [92.63.100.227] 443 (msg:"SSLBL: Traffic to malicious host (likely FindPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207234; rev:1;) alert tcp $HOME_NET any -> [45.40.142.185] 2443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207235; rev:1;) alert tcp $HOME_NET any -> [216.59.21.40] 41443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207236; rev:1;) alert tcp $HOME_NET any -> [78.47.93.16] 13443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207237; rev:1;) alert tcp $HOME_NET any -> [194.67.201.123] 443 (msg:"SSLBL: Traffic to malicious host (likely H1N1 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207238; rev:1;) alert tcp $HOME_NET any -> [65.23.222.222] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207239; rev:1;) alert tcp $HOME_NET any -> [89.33.246.92] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207240; rev:1;) alert tcp $HOME_NET any -> [190.14.38.157] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207241; rev:1;) alert tcp $HOME_NET any -> [188.225.39.2] 443 (msg:"SSLBL: Traffic to malicious host (likely RockLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207242; rev:1;) alert tcp $HOME_NET any -> [188.138.69.102] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207243; rev:1;) alert tcp $HOME_NET any -> [119.59.124.163] 40443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207244; rev:1;) alert tcp $HOME_NET any -> [172.245.57.174] 2448 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207245; rev:1;) alert tcp $HOME_NET any -> [24.172.94.180] 4113 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207246; rev:1;) alert tcp $HOME_NET any -> [191.101.22.50] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207247; rev:1;) alert tcp $HOME_NET any -> [115.76.170.211] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207248; rev:1;) alert tcp $HOME_NET any -> [24.88.123.190] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207249; rev:1;) alert tcp $HOME_NET any -> [68.101.225.113] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207250; rev:1;) alert tcp $HOME_NET any -> [107.170.132.24] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207251; rev:1;) alert tcp $HOME_NET any -> [172.91.160.50] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207252; rev:1;) alert tcp $HOME_NET any -> [176.56.236.91] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207253; rev:1;) alert tcp $HOME_NET any -> [112.217.178.26] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207254; rev:1;) alert tcp $HOME_NET any -> [52.67.39.104] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207255; rev:1;) alert tcp $HOME_NET any -> [58.187.217.3] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207256; rev:1;) alert tcp $HOME_NET any -> [50.109.232.44] 995 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207257; rev:1;) alert tcp $HOME_NET any -> [67.10.229.104] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207258; rev:1;) alert tcp $HOME_NET any -> [90.125.147.234] 2222 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207259; rev:1;) alert tcp $HOME_NET any -> [70.31.32.129] 2222 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207260; rev:1;) alert tcp $HOME_NET any -> [149.62.173.22] 12443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207261; rev:1;) alert tcp $HOME_NET any -> [85.25.177.206] 11443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207262; rev:1;) alert tcp $HOME_NET any -> [199.193.6.102] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207263; rev:1;) alert tcp $HOME_NET any -> [217.162.92.99] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207264; rev:1;) alert tcp $HOME_NET any -> [120.145.53.93] 2222 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207265; rev:1;) alert tcp $HOME_NET any -> [176.126.68.81] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207266; rev:1;) alert tcp $HOME_NET any -> [140.113.214.68] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207267; rev:1;) alert tcp $HOME_NET any -> [134.255.221.192] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207268; rev:1;) alert tcp $HOME_NET any -> [23.234.26.210] 5658 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207269; rev:1;) alert tcp $HOME_NET any -> [93.170.253.84] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207270; rev:1;) alert tcp $HOME_NET any -> [113.186.80.2] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207271; rev:1;) alert tcp $HOME_NET any -> [203.162.81.247] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207272; rev:1;) alert tcp $HOME_NET any -> [68.191.126.222] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207273; rev:1;) alert tcp $HOME_NET any -> [173.61.183.100] 2222 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207274; rev:1;) alert tcp $HOME_NET any -> [93.115.10.203] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207275; rev:1;) alert tcp $HOME_NET any -> [75.136.11.219] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207276; rev:1;) alert tcp $HOME_NET any -> [77.246.159.80] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207277; rev:1;) alert tcp $HOME_NET any -> [5.39.34.152] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207278; rev:1;) alert tcp $HOME_NET any -> [115.76.205.33] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207279; rev:1;) alert tcp $HOME_NET any -> [185.45.192.106] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207280; rev:1;) alert tcp $HOME_NET any -> [195.154.47.69] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207281; rev:1;) alert tcp $HOME_NET any -> [80.87.197.48] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207282; rev:1;) alert tcp $HOME_NET any -> [212.92.97.33] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207283; rev:1;) alert tcp $HOME_NET any -> [105.224.196.209] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207284; rev:1;) alert tcp $HOME_NET any -> [107.172.41.79] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207285; rev:1;) alert tcp $HOME_NET any -> [115.115.192.245] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207286; rev:1;) alert tcp $HOME_NET any -> [85.204.49.106] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207287; rev:1;) alert tcp $HOME_NET any -> [185.109.144.15] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207288; rev:1;) alert tcp $HOME_NET any -> [80.82.79.95] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207289; rev:1;) alert tcp $HOME_NET any -> [193.238.59.90] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207290; rev:1;) alert tcp $HOME_NET any -> [89.43.60.122] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207291; rev:1;) alert tcp $HOME_NET any -> [78.46.160.67] 11443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207292; rev:1;) alert tcp $HOME_NET any -> [171.4.58.50] 995 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207293; rev:1;) alert tcp $HOME_NET any -> [112.166.103.245] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207294; rev:1;) alert tcp $HOME_NET any -> [91.215.154.178] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207295; rev:1;) alert tcp $HOME_NET any -> [180.189.206.17] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207296; rev:1;) alert tcp $HOME_NET any -> [50.62.40.241] 11443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207297; rev:1;) alert tcp $HOME_NET any -> [95.215.46.163] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207298; rev:1;) alert tcp $HOME_NET any -> [109.234.36.75] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207299; rev:1;) alert tcp $HOME_NET any -> [172.98.74.191] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207300; rev:1;) alert tcp $HOME_NET any -> [95.183.52.148] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207301; rev:1;) alert tcp $HOME_NET any -> [121.223.163.197] 2222 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207302; rev:1;) alert tcp $HOME_NET any -> [85.17.155.148] 1234 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207303; rev:1;) alert tcp $HOME_NET any -> [24.158.5.82] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207304; rev:1;) alert tcp $HOME_NET any -> [24.46.43.61] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207305; rev:1;) alert tcp $HOME_NET any -> [97.78.250.78] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207306; rev:1;) alert tcp $HOME_NET any -> [97.78.250.78] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207307; rev:1;) alert tcp $HOME_NET any -> [64.237.220.215] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207308; rev:1;) alert tcp $HOME_NET any -> [212.109.221.120] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207309; rev:1;) alert tcp $HOME_NET any -> [94.156.77.40] 443 (msg:"SSLBL: Traffic to malicious host (likely Shifu C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207310; rev:1;) alert tcp $HOME_NET any -> [70.31.34.200] 2222 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207311; rev:1;) alert tcp $HOME_NET any -> [69.76.172.101] 995 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207312; rev:1;) alert tcp $HOME_NET any -> [91.134.226.39] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207313; rev:1;) alert tcp $HOME_NET any -> [216.137.226.64] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207314; rev:1;) alert tcp $HOME_NET any -> [69.14.43.154] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207315; rev:1;) alert tcp $HOME_NET any -> [116.118.28.229] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207316; rev:1;) alert tcp $HOME_NET any -> [199.231.211.222] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207317; rev:1;) alert tcp $HOME_NET any -> [92.222.204.59] 11443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207318; rev:1;) alert tcp $HOME_NET any -> [176.31.126.53] 11443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207319; rev:1;) alert tcp $HOME_NET any -> [198.2.254.188] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207320; rev:1;) alert tcp $HOME_NET any -> [185.141.27.205] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207321; rev:1;) alert tcp $HOME_NET any -> [87.98.242.115] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207322; rev:1;) alert tcp $HOME_NET any -> [104.193.252.157] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207323; rev:1;) alert tcp $HOME_NET any -> [173.14.220.253] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207324; rev:1;) alert tcp $HOME_NET any -> [84.200.17.38] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207325; rev:1;) alert tcp $HOME_NET any -> [94.102.49.236] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207326; rev:1;) alert tcp $HOME_NET any -> [87.106.173.115] 11443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207327; rev:1;) alert tcp $HOME_NET any -> [195.169.147.26] 4843 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207328; rev:1;) alert tcp $HOME_NET any -> [185.141.25.31] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207329; rev:1;) alert tcp $HOME_NET any -> [93.158.212.61] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207330; rev:1;) alert tcp $HOME_NET any -> [162.246.61.100] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207331; rev:1;) alert tcp $HOME_NET any -> [62.213.100.149] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207332; rev:1;) alert tcp $HOME_NET any -> [80.88.89.222] 11443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207333; rev:1;) alert tcp $HOME_NET any -> [185.118.142.116] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207334; rev:1;) alert tcp $HOME_NET any -> [188.127.231.237] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207335; rev:1;) alert tcp $HOME_NET any -> [27.74.41.60] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207336; rev:1;) alert tcp $HOME_NET any -> [173.27.216.49] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207337; rev:1;) alert tcp $HOME_NET any -> [173.27.216.49] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207338; rev:1;) alert tcp $HOME_NET any -> [95.163.127.146] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207339; rev:1;) alert tcp $HOME_NET any -> [198.199.112.190] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207340; rev:1;) alert tcp $HOME_NET any -> [148.100.111.208] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207341; rev:1;) alert tcp $HOME_NET any -> [201.73.230.19] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207342; rev:1;) alert tcp $HOME_NET any -> [81.4.125.138] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207343; rev:1;) alert tcp $HOME_NET any -> [95.215.44.84] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207344; rev:1;) alert tcp $HOME_NET any -> [178.183.120.96] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207345; rev:1;) alert tcp $HOME_NET any -> [165.255.99.44] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207346; rev:1;) alert tcp $HOME_NET any -> [68.238.148.122] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207347; rev:1;) alert tcp $HOME_NET any -> [68.238.148.122] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207348; rev:1;) alert tcp $HOME_NET any -> [62.218.147.233] 443 (msg:"SSLBL: Traffic to malicious host (likely DiamondFox C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207349; rev:1;) alert tcp $HOME_NET any -> [1.54.70.28] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207350; rev:1;) alert tcp $HOME_NET any -> [117.7.135.67] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207351; rev:1;) alert tcp $HOME_NET any -> [95.183.52.215] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207352; rev:1;) alert tcp $HOME_NET any -> [89.32.40.220] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207353; rev:1;) alert tcp $HOME_NET any -> [94.76.233.152] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207354; rev:1;) alert tcp $HOME_NET any -> [1.55.227.59] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207355; rev:1;) alert tcp $HOME_NET any -> [87.106.19.38] 4343 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207356; rev:1;) alert tcp $HOME_NET any -> [162.244.67.31] 4343 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207357; rev:1;) alert tcp $HOME_NET any -> [198.12.81.102] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207358; rev:1;) alert tcp $HOME_NET any -> [160.16.69.29] 11443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207359; rev:1;) alert tcp $HOME_NET any -> [185.106.120.52] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207360; rev:1;) alert tcp $HOME_NET any -> [104.37.169.139] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207361; rev:1;) alert tcp $HOME_NET any -> [24.199.222.250] 4343 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207362; rev:1;) alert tcp $HOME_NET any -> [188.120.253.193] 40443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207363; rev:1;) alert tcp $HOME_NET any -> [118.193.237.233] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207364; rev:1;) alert tcp $HOME_NET any -> [23.88.239.220] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207365; rev:1;) alert tcp $HOME_NET any -> [46.249.199.87] 4343 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207366; rev:1;) alert tcp $HOME_NET any -> [103.230.189.210] 4343 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207367; rev:1;) alert tcp $HOME_NET any -> [125.212.205.196] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207368; rev:1;) alert tcp $HOME_NET any -> [85.143.218.41] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207369; rev:1;) alert tcp $HOME_NET any -> [104.152.188.33] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207370; rev:1;) alert tcp $HOME_NET any -> [188.227.72.203] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207371; rev:1;) alert tcp $HOME_NET any -> [162.251.84.219] 4343 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207372; rev:1;) alert tcp $HOME_NET any -> [182.23.64.182] 80 (msg:"SSLBL: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207373; rev:1;) alert tcp $HOME_NET any -> [104.131.50.79] 4343 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207374; rev:1;) alert tcp $HOME_NET any -> [217.64.100.34] 4033 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207375; rev:1;) alert tcp $HOME_NET any -> [192.241.252.152] 4343 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207376; rev:1;) alert tcp $HOME_NET any -> [192.52.167.210] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207377; rev:1;) alert tcp $HOME_NET any -> [125.212.205.209] 443 (msg:"SSLBL: Traffic to malicious host (likely Shifu C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207378; rev:1;) alert tcp $HOME_NET any -> [185.82.202.100] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207379; rev:1;) alert tcp $HOME_NET any -> [104.152.188.24] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207380; rev:1;) alert tcp $HOME_NET any -> [213.192.1.171] 40443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207381; rev:1;) alert tcp $HOME_NET any -> [46.183.165.191] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207382; rev:1;) alert tcp $HOME_NET any -> [103.245.153.151] 4033 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207383; rev:1;) alert tcp $HOME_NET any -> [192.157.251.54] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207384; rev:1;) alert tcp $HOME_NET any -> [80.82.64.200] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207385; rev:1;) alert tcp $HOME_NET any -> [103.245.153.154] 4033 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207386; rev:1;) alert tcp $HOME_NET any -> [176.9.113.214] 8043 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207387; rev:1;) alert tcp $HOME_NET any -> [45.127.92.175] 40443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207388; rev:1;) alert tcp $HOME_NET any -> [199.68.198.132] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207389; rev:1;) alert tcp $HOME_NET any -> [185.117.119.169] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207390; rev:1;) alert tcp $HOME_NET any -> [198.105.117.128] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207391; rev:1;) alert tcp $HOME_NET any -> [176.9.113.216] 8043 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207392; rev:1;) alert tcp $HOME_NET any -> [23.105.71.119] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207393; rev:1;) alert tcp $HOME_NET any -> [186.250.48.10] 10443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207394; rev:1;) alert tcp $HOME_NET any -> [185.118.166.112] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207395; rev:1;) alert tcp $HOME_NET any -> [200.159.128.144] 2443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207396; rev:1;) alert tcp $HOME_NET any -> [95.183.53.68] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207397; rev:1;) alert tcp $HOME_NET any -> [31.41.44.119] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207398; rev:1;) alert tcp $HOME_NET any -> [192.157.251.245] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207399; rev:1;) alert tcp $HOME_NET any -> [194.116.73.71] 4033 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207400; rev:1;) alert tcp $HOME_NET any -> [193.90.12.221] 8043 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207401; rev:1;) alert tcp $HOME_NET any -> [96.57.23.154] 8443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207402; rev:1;) alert tcp $HOME_NET any -> [193.90.12.220] 8043 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207403; rev:1;) alert tcp $HOME_NET any -> [199.231.211.74] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207404; rev:1;) alert tcp $HOME_NET any -> [136.243.124.143] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207405; rev:1;) alert tcp $HOME_NET any -> [62.213.103.173] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207406; rev:1;) alert tcp $HOME_NET any -> [178.33.167.120] 2443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207407; rev:1;) alert tcp $HOME_NET any -> [162.217.248.241] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207408; rev:1;) alert tcp $HOME_NET any -> [104.223.125.163] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207409; rev:1;) alert tcp $HOME_NET any -> [204.44.102.217] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207410; rev:1;) alert tcp $HOME_NET any -> [109.68.190.175] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207411; rev:1;) alert tcp $HOME_NET any -> [5.200.35.126] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207412; rev:1;) alert tcp $HOME_NET any -> [192.157.251.239] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207413; rev:1;) alert tcp $HOME_NET any -> [23.249.1.171] 43443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207414; rev:1;) alert tcp $HOME_NET any -> [50.56.118.137] 4033 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207415; rev:1;) alert tcp $HOME_NET any -> [210.245.92.63] 4043 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207416; rev:1;) alert tcp $HOME_NET any -> [168.235.89.81] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207417; rev:1;) alert tcp $HOME_NET any -> [45.32.152.165] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207418; rev:1;) alert tcp $HOME_NET any -> [162.219.29.78] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207419; rev:1;) alert tcp $HOME_NET any -> [138.128.125.153] 4033 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207420; rev:1;) alert tcp $HOME_NET any -> [103.245.153.65] 4033 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207421; rev:1;) alert tcp $HOME_NET any -> [5.187.5.204] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207422; rev:1;) alert tcp $HOME_NET any -> [37.220.3.132] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207423; rev:1;) alert tcp $HOME_NET any -> [176.121.14.120] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207424; rev:1;) alert tcp $HOME_NET any -> [192.169.6.155] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207425; rev:1;) alert tcp $HOME_NET any -> [5.230.208.16] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207426; rev:1;) alert tcp $HOME_NET any -> [93.115.201.103] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207427; rev:1;) alert tcp $HOME_NET any -> [37.46.131.147] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207428; rev:1;) alert tcp $HOME_NET any -> [192.52.167.201] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207429; rev:1;) alert tcp $HOME_NET any -> [209.58.184.213] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207430; rev:1;) alert tcp $HOME_NET any -> [93.174.126.37] 8443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207431; rev:1;) alert tcp $HOME_NET any -> [195.169.147.88] 1943 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207432; rev:1;) alert tcp $HOME_NET any -> [86.106.93.60] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207433; rev:1;) alert tcp $HOME_NET any -> [158.255.6.223] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207434; rev:1;) alert tcp $HOME_NET any -> [185.106.121.66] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207435; rev:1;) alert tcp $HOME_NET any -> [198.144.184.96] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207436; rev:1;) alert tcp $HOME_NET any -> [185.15.208.215] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207437; rev:1;) alert tcp $HOME_NET any -> [191.101.251.23] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207438; rev:1;) alert tcp $HOME_NET any -> [191.101.251.163] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207439; rev:1;) alert tcp $HOME_NET any -> [188.138.71.62] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207440; rev:1;) alert tcp $HOME_NET any -> [167.114.24.46] 443 (msg:"SSLBL: Traffic to malicious host (likely FindPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207441; rev:1;) alert tcp $HOME_NET any -> [185.117.88.112] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207442; rev:1;) alert tcp $HOME_NET any -> [199.193.250.105] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207443; rev:1;) alert tcp $HOME_NET any -> [70.164.127.132] 2443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207444; rev:1;) alert tcp $HOME_NET any -> [87.117.242.13] 4331 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207445; rev:1;) alert tcp $HOME_NET any -> [69.15.194.26] 8443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207446; rev:1;) alert tcp $HOME_NET any -> [82.146.32.134] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207447; rev:1;) alert tcp $HOME_NET any -> [188.227.19.11] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207448; rev:1;) alert tcp $HOME_NET any -> [185.8.60.34] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207449; rev:1;) alert tcp $HOME_NET any -> [185.15.208.200] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207450; rev:1;) alert tcp $HOME_NET any -> [91.219.28.43] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207451; rev:1;) alert tcp $HOME_NET any -> [5.199.129.253] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207452; rev:1;) alert tcp $HOME_NET any -> [50.3.24.155] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207453; rev:1;) alert tcp $HOME_NET any -> [93.82.193.162] 8443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207454; rev:1;) alert tcp $HOME_NET any -> [198.167.140.64] 4043 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207455; rev:1;) alert tcp $HOME_NET any -> [74.122.198.116] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207456; rev:1;) alert tcp $HOME_NET any -> [94.8.36.110] 8443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207457; rev:1;) alert tcp $HOME_NET any -> [71.46.208.93] 1943 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207458; rev:1;) alert tcp $HOME_NET any -> [162.252.175.208] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207459; rev:1;) alert tcp $HOME_NET any -> [38.64.199.113] 1943 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207460; rev:1;) alert tcp $HOME_NET any -> [193.28.179.151] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207461; rev:1;) alert tcp $HOME_NET any -> [154.120.229.44] 4043 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207462; rev:1;) alert tcp $HOME_NET any -> [91.216.245.35] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207463; rev:1;) alert tcp $HOME_NET any -> [80.252.253.111] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207464; rev:1;) alert tcp $HOME_NET any -> [213.154.202.88] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207465; rev:1;) alert tcp $HOME_NET any -> [206.54.170.89] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207466; rev:1;) alert tcp $HOME_NET any -> [93.104.211.103] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207467; rev:1;) alert tcp $HOME_NET any -> [64.147.192.68] 4043 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207468; rev:1;) alert tcp $HOME_NET any -> [38.64.199.33] 4843 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207469; rev:1;) alert tcp $HOME_NET any -> [47.88.191.14] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207470; rev:1;) alert tcp $HOME_NET any -> [5.152.201.26] 4843 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207471; rev:1;) alert tcp $HOME_NET any -> [188.227.19.223] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207472; rev:1;) alert tcp $HOME_NET any -> [31.148.99.44] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207473; rev:1;) alert tcp $HOME_NET any -> [188.93.239.28] 4843 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207474; rev:1;) alert tcp $HOME_NET any -> [82.146.60.196] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207475; rev:1;) alert tcp $HOME_NET any -> [185.22.65.92] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207476; rev:1;) alert tcp $HOME_NET any -> [87.117.242.31] 4843 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207477; rev:1;) alert tcp $HOME_NET any -> [178.93.115.60] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207478; rev:1;) alert tcp $HOME_NET any -> [188.0.85.176] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207479; rev:1;) alert tcp $HOME_NET any -> [98.116.11.226] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207480; rev:1;) alert tcp $HOME_NET any -> [188.166.224.251] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207481; rev:1;) alert tcp $HOME_NET any -> [46.173.81.51] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207482; rev:1;) alert tcp $HOME_NET any -> [130.255.55.6] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207483; rev:1;) alert tcp $HOME_NET any -> [5.152.201.19] 4331 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207484; rev:1;) alert tcp $HOME_NET any -> [210.65.11.155] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207485; rev:1;) alert tcp $HOME_NET any -> [118.98.221.68] 448 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207486; rev:1;) alert tcp $HOME_NET any -> [64.76.19.244] 1113 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207487; rev:1;) alert tcp $HOME_NET any -> [185.17.104.4] 1234 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207488; rev:1;) alert tcp $HOME_NET any -> [185.8.62.74] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207489; rev:1;) alert tcp $HOME_NET any -> [82.146.46.31] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207490; rev:1;) alert tcp $HOME_NET any -> [64.76.19.251] 4243 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207491; rev:1;) alert tcp $HOME_NET any -> [62.213.67.43] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207492; rev:1;) alert tcp $HOME_NET any -> [38.64.199.3] 1234 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207493; rev:1;) alert tcp $HOME_NET any -> [78.40.108.81] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207494; rev:1;) alert tcp $HOME_NET any -> [46.166.172.111] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207495; rev:1;) alert tcp $HOME_NET any -> [188.165.215.180] 1234 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207496; rev:1;) alert tcp $HOME_NET any -> [87.106.8.177] 643 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207497; rev:1;) alert tcp $HOME_NET any -> [91.201.214.38] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207498; rev:1;) alert tcp $HOME_NET any -> [185.118.65.172] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207499; rev:1;) alert tcp $HOME_NET any -> [188.127.231.102] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207500; rev:1;) alert tcp $HOME_NET any -> [185.118.65.167] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207501; rev:1;) alert tcp $HOME_NET any -> [62.76.184.86] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207502; rev:1;) alert tcp $HOME_NET any -> [103.13.29.158] 943 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207503; rev:1;) alert tcp $HOME_NET any -> [78.108.93.186] 643 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207504; rev:1;) alert tcp $HOME_NET any -> [51.254.19.207] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207505; rev:1;) alert tcp $HOME_NET any -> [80.249.6.216] 943 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207506; rev:1;) alert tcp $HOME_NET any -> [83.220.173.3] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207507; rev:1;) alert tcp $HOME_NET any -> [192.157.249.24] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207508; rev:1;) alert tcp $HOME_NET any -> [188.40.224.78] 643 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207509; rev:1;) alert tcp $HOME_NET any -> [75.99.13.124] 943 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207510; rev:1;) alert tcp $HOME_NET any -> [195.123.209.64] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207511; rev:1;) alert tcp $HOME_NET any -> [95.46.114.30] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207512; rev:1;) alert tcp $HOME_NET any -> [181.215.115.202] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207513; rev:1;) alert tcp $HOME_NET any -> [83.220.172.231] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207514; rev:1;) alert tcp $HOME_NET any -> [5.8.55.194] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207515; rev:1;) alert tcp $HOME_NET any -> [78.47.235.236] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207516; rev:1;) alert tcp $HOME_NET any -> [84.200.2.23] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207517; rev:1;) alert tcp $HOME_NET any -> [192.157.238.182] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207518; rev:1;) alert tcp $HOME_NET any -> [203.162.141.13] 843 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207519; rev:1;) alert tcp $HOME_NET any -> [46.22.128.133] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207520; rev:1;) alert tcp $HOME_NET any -> [91.236.4.234] 4243 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207521; rev:1;) alert tcp $HOME_NET any -> [91.83.45.96] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207522; rev:1;) alert tcp $HOME_NET any -> [81.93.151.248] 4243 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207523; rev:1;) alert tcp $HOME_NET any -> [188.40.224.76] 643 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207524; rev:1;) alert tcp $HOME_NET any -> [213.192.1.178] 4113 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207525; rev:1;) alert tcp $HOME_NET any -> [80.86.91.232] 4243 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207526; rev:1;) alert tcp $HOME_NET any -> [155.94.144.93] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207527; rev:1;) alert tcp $HOME_NET any -> [95.79.72.128] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207528; rev:1;) alert tcp $HOME_NET any -> [217.144.170.77] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207529; rev:1;) alert tcp $HOME_NET any -> [193.111.188.230] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207530; rev:1;) alert tcp $HOME_NET any -> [222.255.121.202] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207531; rev:1;) alert tcp $HOME_NET any -> [178.137.80.252] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207532; rev:1;) alert tcp $HOME_NET any -> [192.169.6.173] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207533; rev:1;) alert tcp $HOME_NET any -> [85.25.236.32] 4430 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207534; rev:1;) alert tcp $HOME_NET any -> [164.132.53.34] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207535; rev:1;) alert tcp $HOME_NET any -> [31.135.112.64] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207536; rev:1;) alert tcp $HOME_NET any -> [46.148.187.74] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207537; rev:1;) alert tcp $HOME_NET any -> [46.98.198.248] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207538; rev:1;) alert tcp $HOME_NET any -> [192.100.170.12] 843 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207539; rev:1;) alert tcp $HOME_NET any -> [31.41.45.9] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207540; rev:1;) alert tcp $HOME_NET any -> [166.84.7.180] 4113 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207541; rev:1;) alert tcp $HOME_NET any -> [23.249.171.33] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207542; rev:1;) alert tcp $HOME_NET any -> [168.235.66.206] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207543; rev:1;) alert tcp $HOME_NET any -> [31.148.99.248] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207544; rev:1;) alert tcp $HOME_NET any -> [194.58.120.251] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207545; rev:1;) alert tcp $HOME_NET any -> [95.213.165.183] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207546; rev:1;) alert tcp $HOME_NET any -> [5.101.67.138] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207547; rev:1;) alert tcp $HOME_NET any -> [176.123.29.91] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207548; rev:1;) alert tcp $HOME_NET any -> [203.158.193.3] 843 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207549; rev:1;) alert tcp $HOME_NET any -> [27.131.149.102] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207550; rev:1;) alert tcp $HOME_NET any -> [185.22.65.81] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207551; rev:1;) alert tcp $HOME_NET any -> [128.199.186.92] 643 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207552; rev:1;) alert tcp $HOME_NET any -> [41.79.173.47] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207553; rev:1;) alert tcp $HOME_NET any -> [210.70.242.41] 448 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207554; rev:1;) alert tcp $HOME_NET any -> [185.86.150.103] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207555; rev:1;) alert tcp $HOME_NET any -> [31.130.9.247] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207556; rev:1;) alert tcp $HOME_NET any -> [178.250.240.44] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207557; rev:1;) alert tcp $HOME_NET any -> [37.139.47.252] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207558; rev:1;) alert tcp $HOME_NET any -> [185.12.12.154] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207559; rev:1;) alert tcp $HOME_NET any -> [51.254.162.83] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207560; rev:1;) alert tcp $HOME_NET any -> [185.86.150.115] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207561; rev:1;) alert tcp $HOME_NET any -> [43.251.157.139] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207562; rev:1;) alert tcp $HOME_NET any -> [178.151.203.248] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207563; rev:1;) alert tcp $HOME_NET any -> [185.46.10.134] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207564; rev:1;) alert tcp $HOME_NET any -> [5.136.100.50] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207565; rev:1;) alert tcp $HOME_NET any -> [185.80.53.20] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207566; rev:1;) alert tcp $HOME_NET any -> [46.118.130.60] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207567; rev:1;) alert tcp $HOME_NET any -> [62.213.67.77] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207568; rev:1;) alert tcp $HOME_NET any -> [192.100.170.19] 843 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207569; rev:1;) alert tcp $HOME_NET any -> [217.106.239.102] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207570; rev:1;) alert tcp $HOME_NET any -> [185.82.216.38] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207571; rev:1;) alert tcp $HOME_NET any -> [178.250.240.189] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207572; rev:1;) alert tcp $HOME_NET any -> [84.38.67.231] 643 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207573; rev:1;) alert tcp $HOME_NET any -> [59.148.246.214] 243 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207574; rev:1;) alert tcp $HOME_NET any -> [202.158.123.130] 643 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207575; rev:1;) alert tcp $HOME_NET any -> [149.202.251.62] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207576; rev:1;) alert tcp $HOME_NET any -> [85.143.218.236] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207577; rev:1;) alert tcp $HOME_NET any -> [87.229.86.20] 843 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207578; rev:1;) alert tcp $HOME_NET any -> [192.80.190.233] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207579; rev:1;) alert tcp $HOME_NET any -> [194.58.92.2] 643 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207580; rev:1;) alert tcp $HOME_NET any -> [213.157.51.28] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207581; rev:1;) alert tcp $HOME_NET any -> [91.200.14.59] 5001 (msg:"SSLBL: Traffic to malicious host (likely Send-Safe C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207582; rev:1;) alert tcp $HOME_NET any -> [188.227.18.202] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207583; rev:1;) alert tcp $HOME_NET any -> [192.157.227.220] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207584; rev:1;) alert tcp $HOME_NET any -> [188.165.28.233] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207585; rev:1;) alert tcp $HOME_NET any -> [134.249.31.13] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207586; rev:1;) alert tcp $HOME_NET any -> [91.214.114.110] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207587; rev:1;) alert tcp $HOME_NET any -> [62.75.196.98] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207588; rev:1;) alert tcp $HOME_NET any -> [194.58.119.138] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207589; rev:1;) alert tcp $HOME_NET any -> [91.199.149.227] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207590; rev:1;) alert tcp $HOME_NET any -> [188.225.34.221] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207591; rev:1;) alert tcp $HOME_NET any -> [188.127.231.170] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207592; rev:1;) alert tcp $HOME_NET any -> [50.56.184.194] 643 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207593; rev:1;) alert tcp $HOME_NET any -> [80.87.200.157] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207594; rev:1;) alert tcp $HOME_NET any -> [178.250.241.65] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207595; rev:1;) alert tcp $HOME_NET any -> [81.176.239.97] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207596; rev:1;) alert tcp $HOME_NET any -> [188.127.237.198] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207597; rev:1;) alert tcp $HOME_NET any -> [188.138.25.229] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207598; rev:1;) alert tcp $HOME_NET any -> [188.40.224.73] 643 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207599; rev:1;) alert tcp $HOME_NET any -> [194.58.122.40] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207600; rev:1;) alert tcp $HOME_NET any -> [81.4.123.193] 9943 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207601; rev:1;) alert tcp $HOME_NET any -> [46.16.200.133] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207602; rev:1;) alert tcp $HOME_NET any -> [82.118.226.43] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207603; rev:1;) alert tcp $HOME_NET any -> [82.118.226.43] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207604; rev:1;) alert tcp $HOME_NET any -> [165.233.159.225] 444 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207605; rev:1;) alert tcp $HOME_NET any -> [93.76.72.58] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207606; rev:1;) alert tcp $HOME_NET any -> [212.126.59.41] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207607; rev:1;) alert tcp $HOME_NET any -> [62.76.191.108] 1743 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207608; rev:1;) alert tcp $HOME_NET any -> [62.75.237.13] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207609; rev:1;) alert tcp $HOME_NET any -> [147.156.165.26] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207610; rev:1;) alert tcp $HOME_NET any -> [95.215.110.120] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207611; rev:1;) alert tcp $HOME_NET any -> [103.245.153.70] 343 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207612; rev:1;) alert tcp $HOME_NET any -> [181.177.231.245] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207613; rev:1;) alert tcp $HOME_NET any -> [93.78.217.148] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207614; rev:1;) alert tcp $HOME_NET any -> [151.80.176.72] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207615; rev:1;) alert tcp $HOME_NET any -> [151.80.176.72] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207616; rev:1;) alert tcp $HOME_NET any -> [109.237.111.126] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207617; rev:1;) alert tcp $HOME_NET any -> [195.128.125.191] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207618; rev:1;) alert tcp $HOME_NET any -> [185.118.142.211] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207619; rev:1;) alert tcp $HOME_NET any -> [95.163.121.185] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207620; rev:1;) alert tcp $HOME_NET any -> [185.35.108.138] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207621; rev:1;) alert tcp $HOME_NET any -> [119.160.223.114] 343 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207622; rev:1;) alert tcp $HOME_NET any -> [89.252.203.18] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207623; rev:1;) alert tcp $HOME_NET any -> [188.127.231.194] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207624; rev:1;) alert tcp $HOME_NET any -> [188.255.93.37] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207625; rev:1;) alert tcp $HOME_NET any -> [81.177.27.80] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207626; rev:1;) alert tcp $HOME_NET any -> [91.239.232.145] 1743 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207627; rev:1;) alert tcp $HOME_NET any -> [188.227.75.59] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207628; rev:1;) alert tcp $HOME_NET any -> [93.171.158.234] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207629; rev:1;) alert tcp $HOME_NET any -> [37.139.47.101] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207630; rev:1;) alert tcp $HOME_NET any -> [185.24.92.229] 4743 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207631; rev:1;) alert tcp $HOME_NET any -> [160.114.111.17] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207632; rev:1;) alert tcp $HOME_NET any -> [46.101.155.53] 1143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207633; rev:1;) alert tcp $HOME_NET any -> [85.143.223.23] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207634; rev:1;) alert tcp $HOME_NET any -> [185.24.92.236] 1743 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207635; rev:1;) alert tcp $HOME_NET any -> [89.248.171.237] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207636; rev:1;) alert tcp $HOME_NET any -> [89.248.171.237] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207637; rev:1;) alert tcp $HOME_NET any -> [85.25.102.156] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207638; rev:1;) alert tcp $HOME_NET any -> [85.25.102.155] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207639; rev:1;) alert tcp $HOME_NET any -> [50.7.143.19] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207640; rev:1;) alert tcp $HOME_NET any -> [195.72.158.150] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207641; rev:1;) alert tcp $HOME_NET any -> [85.143.166.200] 1743 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207642; rev:1;) alert tcp $HOME_NET any -> [88.214.207.56] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207643; rev:1;) alert tcp $HOME_NET any -> [192.157.239.137] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207644; rev:1;) alert tcp $HOME_NET any -> [192.157.239.137] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207645; rev:1;) alert tcp $HOME_NET any -> [162.210.249.90] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207646; rev:1;) alert tcp $HOME_NET any -> [45.58.62.161] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207647; rev:1;) alert tcp $HOME_NET any -> [46.63.1.192] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207648; rev:1;) alert tcp $HOME_NET any -> [104.244.159.15] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207649; rev:1;) alert tcp $HOME_NET any -> [91.195.12.164] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207650; rev:1;) alert tcp $HOME_NET any -> [198.50.234.210] 343 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207651; rev:1;) alert tcp $HOME_NET any -> [138.204.171.113] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207652; rev:1;) alert tcp $HOME_NET any -> [162.253.176.224] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207653; rev:1;) alert tcp $HOME_NET any -> [80.90.179.149] 5001 (msg:"SSLBL: Traffic to malicious host (likely Send-Safe C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207654; rev:1;) alert tcp $HOME_NET any -> [95.163.121.204] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207655; rev:1;) alert tcp $HOME_NET any -> [193.218.145.168] 5001 (msg:"SSLBL: Traffic to malicious host (likely Send-Safe C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207656; rev:1;) alert tcp $HOME_NET any -> [91.240.84.224] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207657; rev:1;) alert tcp $HOME_NET any -> [194.126.100.220] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207658; rev:1;) alert tcp $HOME_NET any -> [51.255.107.49] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207659; rev:1;) alert tcp $HOME_NET any -> [109.237.109.148] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207660; rev:1;) alert tcp $HOME_NET any -> [103.194.43.48] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207661; rev:1;) alert tcp $HOME_NET any -> [92.63.99.34] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207662; rev:1;) alert tcp $HOME_NET any -> [85.93.145.30] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207663; rev:1;) alert tcp $HOME_NET any -> [195.110.58.105] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207664; rev:1;) alert tcp $HOME_NET any -> [91.215.153.43] 5001 (msg:"SSLBL: Traffic to malicious host (likely Send-Safe C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207665; rev:1;) alert tcp $HOME_NET any -> [185.130.4.98] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207666; rev:1;) alert tcp $HOME_NET any -> [119.160.223.115] 1143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207667; rev:1;) alert tcp $HOME_NET any -> [110.138.108.142] 3448 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207668; rev:1;) alert tcp $HOME_NET any -> [149.202.127.212] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207669; rev:1;) alert tcp $HOME_NET any -> [149.202.127.212] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207670; rev:1;) alert tcp $HOME_NET any -> [85.143.221.170] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207671; rev:1;) alert tcp $HOME_NET any -> [51.255.107.20] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207672; rev:1;) alert tcp $HOME_NET any -> [77.121.63.196] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207673; rev:1;) alert tcp $HOME_NET any -> [46.105.88.116] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207674; rev:1;) alert tcp $HOME_NET any -> [103.224.83.130] 4143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207675; rev:1;) alert tcp $HOME_NET any -> [91.195.12.150] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207676; rev:1;) alert tcp $HOME_NET any -> [192.210.137.123] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207677; rev:1;) alert tcp $HOME_NET any -> [194.58.97.60] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207678; rev:1;) alert tcp $HOME_NET any -> [103.193.4.131] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207679; rev:1;) alert tcp $HOME_NET any -> [188.227.74.90] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207680; rev:1;) alert tcp $HOME_NET any -> [185.30.98.82] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207681; rev:1;) alert tcp $HOME_NET any -> [107.161.145.175] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207682; rev:1;) alert tcp $HOME_NET any -> [78.137.13.12] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207683; rev:1;) alert tcp $HOME_NET any -> [95.163.107.52] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207684; rev:1;) alert tcp $HOME_NET any -> [91.199.149.187] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207685; rev:1;) alert tcp $HOME_NET any -> [192.241.207.251] 4143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207686; rev:1;) alert tcp $HOME_NET any -> [109.234.35.112] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207687; rev:1;) alert tcp $HOME_NET any -> [125.212.205.220] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207688; rev:1;) alert tcp $HOME_NET any -> [216.170.126.138] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207689; rev:1;) alert tcp $HOME_NET any -> [80.78.253.130] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207690; rev:1;) alert tcp $HOME_NET any -> [198.154.62.28] 444 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207691; rev:1;) alert tcp $HOME_NET any -> [79.174.64.84] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207692; rev:1;) alert tcp $HOME_NET any -> [79.174.65.197] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207693; rev:1;) alert tcp $HOME_NET any -> [45.124.65.51] 4143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207694; rev:1;) alert tcp $HOME_NET any -> [46.183.165.8] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207695; rev:1;) alert tcp $HOME_NET any -> [37.46.128.37] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207696; rev:1;) alert tcp $HOME_NET any -> [216.224.175.92] 4143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207697; rev:1;) alert tcp $HOME_NET any -> [93.188.163.50] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207698; rev:1;) alert tcp $HOME_NET any -> [114.113.148.141] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207699; rev:1;) alert tcp $HOME_NET any -> [176.53.0.103] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207700; rev:1;) alert tcp $HOME_NET any -> [216.59.16.175] 4143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207701; rev:1;) alert tcp $HOME_NET any -> [198.50.234.211] 4143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207702; rev:1;) alert tcp $HOME_NET any -> [192.232.204.53] 4143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207703; rev:1;) alert tcp $HOME_NET any -> [188.138.71.59] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207704; rev:1;) alert tcp $HOME_NET any -> [62.75.219.30] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207705; rev:1;) alert tcp $HOME_NET any -> [46.101.190.62] 1143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207706; rev:1;) alert tcp $HOME_NET any -> [203.151.94.214] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207707; rev:1;) alert tcp $HOME_NET any -> [178.76.67.12] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207708; rev:1;) alert tcp $HOME_NET any -> [89.42.70.241] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207709; rev:1;) alert tcp $HOME_NET any -> [216.117.130.191] 1143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207710; rev:1;) alert tcp $HOME_NET any -> [185.25.118.197] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207711; rev:1;) alert tcp $HOME_NET any -> [87.117.242.7] 8843 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207712; rev:1;) alert tcp $HOME_NET any -> [195.219.57.34] 8843 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207713; rev:1;) alert tcp $HOME_NET any -> [45.32.94.132] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207714; rev:1;) alert tcp $HOME_NET any -> [110.77.142.156] 8143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207715; rev:1;) alert tcp $HOME_NET any -> [185.25.116.98] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207716; rev:1;) alert tcp $HOME_NET any -> [188.138.88.14] 1143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207717; rev:1;) alert tcp $HOME_NET any -> [104.224.128.163] 3448 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207718; rev:1;) alert tcp $HOME_NET any -> [89.37.214.2] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207719; rev:1;) alert tcp $HOME_NET any -> [172.245.130.32] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207720; rev:1;) alert tcp $HOME_NET any -> [172.245.130.32] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207721; rev:1;) alert tcp $HOME_NET any -> [41.38.18.230] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207722; rev:1;) alert tcp $HOME_NET any -> [85.25.200.103] 1143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207723; rev:1;) alert tcp $HOME_NET any -> [198.55.107.114] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207724; rev:1;) alert tcp $HOME_NET any -> [162.221.183.11] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207725; rev:1;) alert tcp $HOME_NET any -> [185.14.28.9] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207726; rev:1;) alert tcp $HOME_NET any -> [80.58.201.5] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207727; rev:1;) alert tcp $HOME_NET any -> [93.79.199.189] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207728; rev:1;) alert tcp $HOME_NET any -> [114.215.108.157] 8443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207729; rev:1;) alert tcp $HOME_NET any -> [193.242.211.187] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207730; rev:1;) alert tcp $HOME_NET any -> [95.133.197.95] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207731; rev:1;) alert tcp $HOME_NET any -> [185.22.17.85] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207732; rev:1;) alert tcp $HOME_NET any -> [77.121.255.9] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207733; rev:1;) alert tcp $HOME_NET any -> [46.249.131.74] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207734; rev:1;) alert tcp $HOME_NET any -> [37.229.135.205] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207735; rev:1;) alert tcp $HOME_NET any -> [93.77.115.10] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207736; rev:1;) alert tcp $HOME_NET any -> [5.2.32.18] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207737; rev:1;) alert tcp $HOME_NET any -> [193.93.218.81] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207738; rev:1;) alert tcp $HOME_NET any -> [89.35.61.44] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207739; rev:1;) alert tcp $HOME_NET any -> [94.52.72.42] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207740; rev:1;) alert tcp $HOME_NET any -> [93.78.7.146] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207741; rev:1;) alert tcp $HOME_NET any -> [94.153.65.14] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207742; rev:1;) alert tcp $HOME_NET any -> [185.45.193.220] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207743; rev:1;) alert tcp $HOME_NET any -> [51.255.155.169] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207744; rev:1;) alert tcp $HOME_NET any -> [178.216.227.244] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207745; rev:1;) alert tcp $HOME_NET any -> [31.170.104.57] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207746; rev:1;) alert tcp $HOME_NET any -> [93.171.21.27] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207747; rev:1;) alert tcp $HOME_NET any -> [109.87.249.48] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207748; rev:1;) alert tcp $HOME_NET any -> [93.127.114.50] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207749; rev:1;) alert tcp $HOME_NET any -> [46.211.43.150] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207750; rev:1;) alert tcp $HOME_NET any -> [91.241.227.106] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207751; rev:1;) alert tcp $HOME_NET any -> [62.76.188.237] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207752; rev:1;) alert tcp $HOME_NET any -> [5.39.185.231] 444 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207753; rev:1;) alert tcp $HOME_NET any -> [162.244.76.40] 3448 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207754; rev:1;) alert tcp $HOME_NET any -> [177.153.4.189] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207755; rev:1;) alert tcp $HOME_NET any -> [104.131.59.185] 243 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207756; rev:1;) alert tcp $HOME_NET any -> [1.179.170.7] 4493 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207757; rev:1;) alert tcp $HOME_NET any -> [89.38.150.118] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207758; rev:1;) alert tcp $HOME_NET any -> [5.135.99.128] 14756 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207759; rev:1;) alert tcp $HOME_NET any -> [62.68.148.132] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207760; rev:1;) alert tcp $HOME_NET any -> [117.239.192.228] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207761; rev:1;) alert tcp $HOME_NET any -> [78.47.119.93] 666 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207762; rev:1;) alert tcp $HOME_NET any -> [213.111.232.28] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207763; rev:1;) alert tcp $HOME_NET any -> [94.253.83.111] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207764; rev:1;) alert tcp $HOME_NET any -> [46.173.71.50] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207765; rev:1;) alert tcp $HOME_NET any -> [87.120.37.218] 443 (msg:"SSLBL: Traffic to malicious host (likely Shifu C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207766; rev:1;) alert tcp $HOME_NET any -> [109.237.108.176] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207767; rev:1;) alert tcp $HOME_NET any -> [23.88.104.64] 243 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207768; rev:1;) alert tcp $HOME_NET any -> [46.151.42.154] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207769; rev:1;) alert tcp $HOME_NET any -> [188.27.236.220] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207770; rev:1;) alert tcp $HOME_NET any -> [94.19.198.38] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207771; rev:1;) alert tcp $HOME_NET any -> [94.232.207.193] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207772; rev:1;) alert tcp $HOME_NET any -> [92.87.69.36] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207773; rev:1;) alert tcp $HOME_NET any -> [178.20.159.93] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207774; rev:1;) alert tcp $HOME_NET any -> [37.115.157.90] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207775; rev:1;) alert tcp $HOME_NET any -> [31.41.44.5] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207776; rev:1;) alert tcp $HOME_NET any -> [178.18.249.147] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207777; rev:1;) alert tcp $HOME_NET any -> [178.18.249.147] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207778; rev:1;) alert tcp $HOME_NET any -> [176.10.124.195] 443 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207779; rev:1;) alert tcp $HOME_NET any -> [195.66.222.173] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207780; rev:1;) alert tcp $HOME_NET any -> [109.235.70.20] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207781; rev:1;) alert tcp $HOME_NET any -> [109.235.70.20] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207782; rev:1;) alert tcp $HOME_NET any -> [176.37.225.130] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207783; rev:1;) alert tcp $HOME_NET any -> [31.170.152.131] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207784; rev:1;) alert tcp $HOME_NET any -> [193.28.179.149] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207785; rev:1;) alert tcp $HOME_NET any -> [46.161.40.105] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207786; rev:1;) alert tcp $HOME_NET any -> [213.159.214.196] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207787; rev:1;) alert tcp $HOME_NET any -> [193.218.145.50] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207788; rev:1;) alert tcp $HOME_NET any -> [185.36.102.95] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207789; rev:1;) alert tcp $HOME_NET any -> [193.218.145.50] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207790; rev:1;) alert tcp $HOME_NET any -> [62.109.133.248] 444 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207791; rev:1;) alert tcp $HOME_NET any -> [199.7.136.88] 8143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207792; rev:1;) alert tcp $HOME_NET any -> [151.80.142.33] 1743 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207793; rev:1;) alert tcp $HOME_NET any -> [213.111.142.72] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207794; rev:1;) alert tcp $HOME_NET any -> [194.8.158.212] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207795; rev:1;) alert tcp $HOME_NET any -> [176.115.155.191] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207796; rev:1;) alert tcp $HOME_NET any -> [79.126.59.177] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207797; rev:1;) alert tcp $HOME_NET any -> [178.150.6.152] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207798; rev:1;) alert tcp $HOME_NET any -> [5.105.197.75] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207799; rev:1;) alert tcp $HOME_NET any -> [188.127.249.165] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207800; rev:1;) alert tcp $HOME_NET any -> [199.68.198.117] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207801; rev:1;) alert tcp $HOME_NET any -> [199.68.198.117] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207802; rev:1;) alert tcp $HOME_NET any -> [198.96.89.181] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207803; rev:1;) alert tcp $HOME_NET any -> [95.106.82.63] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207804; rev:1;) alert tcp $HOME_NET any -> [78.47.64.118] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207805; rev:1;) alert tcp $HOME_NET any -> [88.214.207.68] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207806; rev:1;) alert tcp $HOME_NET any -> [188.166.74.217] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207807; rev:1;) alert tcp $HOME_NET any -> [188.166.74.217] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207808; rev:1;) alert tcp $HOME_NET any -> [91.244.37.202] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207809; rev:1;) alert tcp $HOME_NET any -> [195.66.223.39] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207810; rev:1;) alert tcp $HOME_NET any -> [172.248.107.77] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207811; rev:1;) alert tcp $HOME_NET any -> [91.243.229.223] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207812; rev:1;) alert tcp $HOME_NET any -> [93.113.248.85] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207813; rev:1;) alert tcp $HOME_NET any -> [213.111.147.244] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207814; rev:1;) alert tcp $HOME_NET any -> [109.194.13.46] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207815; rev:1;) alert tcp $HOME_NET any -> [46.119.119.112] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207816; rev:1;) alert tcp $HOME_NET any -> [51.255.146.81] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207817; rev:1;) alert tcp $HOME_NET any -> [176.102.216.221] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207818; rev:1;) alert tcp $HOME_NET any -> [85.93.145.9] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207819; rev:1;) alert tcp $HOME_NET any -> [46.98.109.3] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207820; rev:1;) alert tcp $HOME_NET any -> [93.170.152.201] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207821; rev:1;) alert tcp $HOME_NET any -> [37.229.28.69] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207822; rev:1;) alert tcp $HOME_NET any -> [198.96.89.181] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207823; rev:1;) alert tcp $HOME_NET any -> [93.174.95.35] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207824; rev:1;) alert tcp $HOME_NET any -> [78.61.114.43] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207825; rev:1;) alert tcp $HOME_NET any -> [185.82.202.84] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207826; rev:1;) alert tcp $HOME_NET any -> [202.69.40.173] 243 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207827; rev:1;) alert tcp $HOME_NET any -> [185.82.202.38] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207828; rev:1;) alert tcp $HOME_NET any -> [185.82.202.38] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207829; rev:1;) alert tcp $HOME_NET any -> [188.190.72.59] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207830; rev:1;) alert tcp $HOME_NET any -> [168.187.96.115] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207831; rev:1;) alert tcp $HOME_NET any -> [80.96.150.201] 9943 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207832; rev:1;) alert tcp $HOME_NET any -> [192.227.158.140] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207833; rev:1;) alert tcp $HOME_NET any -> [123.203.102.113] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207834; rev:1;) alert tcp $HOME_NET any -> [31.6.124.141] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207835; rev:1;) alert tcp $HOME_NET any -> [134.249.74.86] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207836; rev:1;) alert tcp $HOME_NET any -> [185.117.72.87] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207837; rev:1;) alert tcp $HOME_NET any -> [185.117.72.87] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207838; rev:1;) alert tcp $HOME_NET any -> [104.206.221.165] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207839; rev:1;) alert tcp $HOME_NET any -> [138.4.249.254] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207840; rev:1;) alert tcp $HOME_NET any -> [104.206.221.165] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207841; rev:1;) alert tcp $HOME_NET any -> [176.121.252.119] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207842; rev:1;) alert tcp $HOME_NET any -> [95.215.108.11] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207843; rev:1;) alert tcp $HOME_NET any -> [24.214.18.167] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207844; rev:1;) alert tcp $HOME_NET any -> [64.79.99.134] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207845; rev:1;) alert tcp $HOME_NET any -> [199.7.136.84] 8143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207846; rev:1;) alert tcp $HOME_NET any -> [192.227.158.188] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207847; rev:1;) alert tcp $HOME_NET any -> [192.227.158.188] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207848; rev:1;) alert tcp $HOME_NET any -> [146.185.243.80] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207849; rev:1;) alert tcp $HOME_NET any -> [185.86.149.224] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207850; rev:1;) alert tcp $HOME_NET any -> [46.98.164.139] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207851; rev:1;) alert tcp $HOME_NET any -> [85.143.219.42] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207852; rev:1;) alert tcp $HOME_NET any -> [188.0.93.2] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207853; rev:1;) alert tcp $HOME_NET any -> [185.45.192.210] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207854; rev:1;) alert tcp $HOME_NET any -> [185.45.192.210] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207855; rev:1;) alert tcp $HOME_NET any -> [188.186.75.41] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207856; rev:1;) alert tcp $HOME_NET any -> [195.66.222.86] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207857; rev:1;) alert tcp $HOME_NET any -> [212.106.48.238] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207858; rev:1;) alert tcp $HOME_NET any -> [136.243.99.219] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207859; rev:1;) alert tcp $HOME_NET any -> [212.91.196.240] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207860; rev:1;) alert tcp $HOME_NET any -> [95.85.23.88] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207861; rev:1;) alert tcp $HOME_NET any -> [95.85.23.88] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207862; rev:1;) alert tcp $HOME_NET any -> [195.14.104.139] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207863; rev:1;) alert tcp $HOME_NET any -> [86.124.10.172] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207864; rev:1;) alert tcp $HOME_NET any -> [31.184.198.248] 5001 (msg:"SSLBL: Traffic to malicious host (likely Send-Safe C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207865; rev:1;) alert tcp $HOME_NET any -> [43.249.36.86] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207866; rev:1;) alert tcp $HOME_NET any -> [93.78.67.85] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207867; rev:1;) alert tcp $HOME_NET any -> [91.244.38.12] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207868; rev:1;) alert tcp $HOME_NET any -> [188.126.116.26] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207869; rev:1;) alert tcp $HOME_NET any -> [88.198.119.118] 5001 (msg:"SSLBL: Traffic to malicious host (likely Send-Safe C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207870; rev:1;) alert tcp $HOME_NET any -> [109.201.220.125] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207871; rev:1;) alert tcp $HOME_NET any -> [136.145.86.27] 3448 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207872; rev:1;) alert tcp $HOME_NET any -> [192.227.158.140] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207873; rev:1;) alert tcp $HOME_NET any -> [94.179.172.123] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207874; rev:1;) alert tcp $HOME_NET any -> [5.165.138.228] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207875; rev:1;) alert tcp $HOME_NET any -> [46.254.17.92] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207876; rev:1;) alert tcp $HOME_NET any -> [5.136.78.25] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207877; rev:1;) alert tcp $HOME_NET any -> [91.214.114.196] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207878; rev:1;) alert tcp $HOME_NET any -> [216.189.52.147] 243 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207879; rev:1;) alert tcp $HOME_NET any -> [5.196.128.192] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207880; rev:1;) alert tcp $HOME_NET any -> [93.76.205.220] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207881; rev:1;) alert tcp $HOME_NET any -> [176.124.10.74] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207882; rev:1;) alert tcp $HOME_NET any -> [89.121.205.190] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207883; rev:1;) alert tcp $HOME_NET any -> [193.238.97.98] 243 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207884; rev:1;) alert tcp $HOME_NET any -> [5.45.179.178] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207885; rev:1;) alert tcp $HOME_NET any -> [5.45.179.178] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207886; rev:1;) alert tcp $HOME_NET any -> [85.237.35.122] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207887; rev:1;) alert tcp $HOME_NET any -> [84.200.70.46] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207888; rev:1;) alert tcp $HOME_NET any -> [151.236.18.110] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207889; rev:1;) alert tcp $HOME_NET any -> [151.236.18.110] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207890; rev:1;) alert tcp $HOME_NET any -> [80.78.253.86] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207891; rev:1;) alert tcp $HOME_NET any -> [188.210.228.211] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207892; rev:1;) alert tcp $HOME_NET any -> [46.183.217.165] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207893; rev:1;) alert tcp $HOME_NET any -> [95.110.30.165] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207894; rev:1;) alert tcp $HOME_NET any -> [108.61.178.212] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207895; rev:1;) alert tcp $HOME_NET any -> [188.230.65.72] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207896; rev:1;) alert tcp $HOME_NET any -> [200.49.169.94] 444 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207897; rev:1;) alert tcp $HOME_NET any -> [23.113.113.105] 243 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207898; rev:1;) alert tcp $HOME_NET any -> [95.190.48.175] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207899; rev:1;) alert tcp $HOME_NET any -> [37.46.121.133] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207900; rev:1;) alert tcp $HOME_NET any -> [95.106.31.223] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207901; rev:1;) alert tcp $HOME_NET any -> [162.208.8.198] 3448 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207902; rev:1;) alert tcp $HOME_NET any -> [78.47.66.169] 7447 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207903; rev:1;) alert tcp $HOME_NET any -> [94.232.79.98] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207904; rev:1;) alert tcp $HOME_NET any -> [176.99.171.58] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207905; rev:1;) alert tcp $HOME_NET any -> [91.222.245.35] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207906; rev:1;) alert tcp $HOME_NET any -> [188.167.160.26] 444 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207907; rev:1;) alert tcp $HOME_NET any -> [188.24.184.86] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207908; rev:1;) alert tcp $HOME_NET any -> [92.222.98.101] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207909; rev:1;) alert tcp $HOME_NET any -> [213.159.253.119] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207910; rev:1;) alert tcp $HOME_NET any -> [188.40.253.158] 243 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207911; rev:1;) alert tcp $HOME_NET any -> [94.73.155.11] 2448 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207912; rev:1;) alert tcp $HOME_NET any -> [115.249.247.26] 4538 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207913; rev:1;) alert tcp $HOME_NET any -> [46.211.39.37] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207914; rev:1;) alert tcp $HOME_NET any -> [185.117.73.211] 443 (msg:"SSLBL: Traffic to malicious host (likely FindPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207915; rev:1;) alert tcp $HOME_NET any -> [45.127.92.179] 4538 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207916; rev:1;) alert tcp $HOME_NET any -> [157.252.245.29] 2448 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207917; rev:1;) alert tcp $HOME_NET any -> [185.86.149.194] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207918; rev:1;) alert tcp $HOME_NET any -> [185.86.149.194] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207919; rev:1;) alert tcp $HOME_NET any -> [46.201.54.91] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207920; rev:1;) alert tcp $HOME_NET any -> [62.80.253.44] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207921; rev:1;) alert tcp $HOME_NET any -> [159.253.3.233] 448 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207922; rev:1;) alert tcp $HOME_NET any -> [81.2.243.94] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207923; rev:1;) alert tcp $HOME_NET any -> [178.137.82.42] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207924; rev:1;) alert tcp $HOME_NET any -> [46.101.222.127] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207925; rev:1;) alert tcp $HOME_NET any -> [46.101.222.127] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207926; rev:1;) alert tcp $HOME_NET any -> [42.117.2.85] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207927; rev:1;) alert tcp $HOME_NET any -> [86.121.139.243] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207928; rev:1;) alert tcp $HOME_NET any -> [46.175.99.82] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207929; rev:1;) alert tcp $HOME_NET any -> [198.23.164.196] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207930; rev:1;) alert tcp $HOME_NET any -> [5.136.178.9] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207931; rev:1;) alert tcp $HOME_NET any -> [79.98.104.59] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207932; rev:1;) alert tcp $HOME_NET any -> [198.23.164.196] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207933; rev:1;) alert tcp $HOME_NET any -> [176.108.251.247] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207934; rev:1;) alert tcp $HOME_NET any -> [188.165.152.190] 4438 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207935; rev:1;) alert tcp $HOME_NET any -> [46.30.43.4] 443 (msg:"SSLBL: Traffic to malicious host (likely FindPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207936; rev:1;) alert tcp $HOME_NET any -> [84.200.70.46] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207937; rev:1;) alert tcp $HOME_NET any -> [103.252.100.44] 4493 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207938; rev:1;) alert tcp $HOME_NET any -> [94.73.155.12] 2448 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207939; rev:1;) alert tcp $HOME_NET any -> [78.47.203.94] 4493 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207940; rev:1;) alert tcp $HOME_NET any -> [192.227.136.226] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207941; rev:1;) alert tcp $HOME_NET any -> [46.22.134.78] 4493 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207942; rev:1;) alert tcp $HOME_NET any -> [89.46.65.44] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207943; rev:1;) alert tcp $HOME_NET any -> [213.111.141.179] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207944; rev:1;) alert tcp $HOME_NET any -> [94.73.155.10] 2448 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207945; rev:1;) alert tcp $HOME_NET any -> [199.175.55.116] 4493 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207946; rev:1;) alert tcp $HOME_NET any -> [203.158.193.83] 444 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207947; rev:1;) alert tcp $HOME_NET any -> [185.106.94.60] 443 (msg:"SSLBL: Traffic to malicious host (likely Shifu C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207948; rev:1;) alert tcp $HOME_NET any -> [192.3.135.47] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207949; rev:1;) alert tcp $HOME_NET any -> [185.73.222.47] 443 (msg:"SSLBL: Traffic to malicious host (likely Shifu C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207950; rev:1;) alert tcp $HOME_NET any -> [31.24.30.175] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207951; rev:1;) alert tcp $HOME_NET any -> [87.249.215.214] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207952; rev:1;) alert tcp $HOME_NET any -> [87.249.215.214] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207953; rev:1;) alert tcp $HOME_NET any -> [88.150.234.34] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207954; rev:1;) alert tcp $HOME_NET any -> [185.117.72.251] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207955; rev:1;) alert tcp $HOME_NET any -> [163.53.247.14] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207956; rev:1;) alert tcp $HOME_NET any -> [163.53.247.14] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207957; rev:1;) alert tcp $HOME_NET any -> [79.114.91.71] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207958; rev:1;) alert tcp $HOME_NET any -> [163.53.247.33] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207959; rev:1;) alert tcp $HOME_NET any -> [181.41.210.188] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207960; rev:1;) alert tcp $HOME_NET any -> [194.135.83.184] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207961; rev:1;) alert tcp $HOME_NET any -> [77.55.254.156] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207962; rev:1;) alert tcp $HOME_NET any -> [77.55.254.156] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207963; rev:1;) alert tcp $HOME_NET any -> [176.118.46.39] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207964; rev:1;) alert tcp $HOME_NET any -> [93.123.236.46] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207965; rev:1;) alert tcp $HOME_NET any -> [163.53.247.136] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207966; rev:1;) alert tcp $HOME_NET any -> [5.9.253.137] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207967; rev:1;) alert tcp $HOME_NET any -> [5.9.253.137] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207968; rev:1;) alert tcp $HOME_NET any -> [92.114.92.116] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207969; rev:1;) alert tcp $HOME_NET any -> [92.114.92.116] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207970; rev:1;) alert tcp $HOME_NET any -> [213.111.189.152] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207971; rev:1;) alert tcp $HOME_NET any -> [37.229.230.169] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207972; rev:1;) alert tcp $HOME_NET any -> [151.0.15.219] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207973; rev:1;) alert tcp $HOME_NET any -> [46.118.71.18] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207974; rev:1;) alert tcp $HOME_NET any -> [185.27.102.160] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207975; rev:1;) alert tcp $HOME_NET any -> [213.111.99.179] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207976; rev:1;) alert tcp $HOME_NET any -> [46.119.94.57] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207977; rev:1;) alert tcp $HOME_NET any -> [31.220.109.193] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207978; rev:1;) alert tcp $HOME_NET any -> [167.160.36.36] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207979; rev:1;) alert tcp $HOME_NET any -> [46.20.177.0] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207980; rev:1;) alert tcp $HOME_NET any -> [78.47.161.143] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207981; rev:1;) alert tcp $HOME_NET any -> [5.255.78.133] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207982; rev:1;) alert tcp $HOME_NET any -> [185.12.14.8] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207983; rev:1;) alert tcp $HOME_NET any -> [188.190.209.109] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207984; rev:1;) alert tcp $HOME_NET any -> [94.253.126.53] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207985; rev:1;) alert tcp $HOME_NET any -> [185.58.225.193] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207986; rev:1;) alert tcp $HOME_NET any -> [185.58.225.193] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207987; rev:1;) alert tcp $HOME_NET any -> [79.117.88.74] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207988; rev:1;) alert tcp $HOME_NET any -> [5.255.78.133] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207989; rev:1;) alert tcp $HOME_NET any -> [188.138.105.21] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207990; rev:1;) alert tcp $HOME_NET any -> [91.212.89.239] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207991; rev:1;) alert tcp $HOME_NET any -> [157.252.245.32] 2448 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207992; rev:1;) alert tcp $HOME_NET any -> [185.12.14.8] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207993; rev:1;) alert tcp $HOME_NET any -> [194.135.82.127] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207994; rev:1;) alert tcp $HOME_NET any -> [119.246.242.148] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207995; rev:1;) alert tcp $HOME_NET any -> [62.76.43.176] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207996; rev:1;) alert tcp $HOME_NET any -> [104.238.177.7] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207997; rev:1;) alert tcp $HOME_NET any -> [46.236.191.230] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207998; rev:1;) alert tcp $HOME_NET any -> [185.14.30.53] 443 (msg:"SSLBL: Traffic to malicious host (likely Retefe C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905207999; rev:1;) alert tcp $HOME_NET any -> [104.207.156.191] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208000; rev:1;) alert tcp $HOME_NET any -> [185.14.29.186] 443 (msg:"SSLBL: Traffic to malicious host (likely Retefe C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208001; rev:1;) alert tcp $HOME_NET any -> [185.82.216.109] 443 (msg:"SSLBL: Traffic to malicious host (likely Retefe C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208002; rev:1;) alert tcp $HOME_NET any -> [109.234.34.133] 443 (msg:"SSLBL: Traffic to malicious host (likely Retefe C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208003; rev:1;) alert tcp $HOME_NET any -> [78.30.229.43] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208004; rev:1;) alert tcp $HOME_NET any -> [81.162.226.26] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208005; rev:1;) alert tcp $HOME_NET any -> [130.204.240.102] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208006; rev:1;) alert tcp $HOME_NET any -> [78.129.133.249] 4493 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208007; rev:1;) alert tcp $HOME_NET any -> [85.186.231.180] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208008; rev:1;) alert tcp $HOME_NET any -> [213.231.62.201] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208009; rev:1;) alert tcp $HOME_NET any -> [81.177.181.217] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208010; rev:1;) alert tcp $HOME_NET any -> [94.137.4.221] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208011; rev:1;) alert tcp $HOME_NET any -> [93.77.100.11] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208012; rev:1;) alert tcp $HOME_NET any -> [182.93.220.146] 4438 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208013; rev:1;) alert tcp $HOME_NET any -> [109.87.204.143] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208014; rev:1;) alert tcp $HOME_NET any -> [203.172.180.195] 4493 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208015; rev:1;) alert tcp $HOME_NET any -> [187.141.112.98] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208016; rev:1;) alert tcp $HOME_NET any -> [89.252.41.9] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208017; rev:1;) alert tcp $HOME_NET any -> [46.4.173.212] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208018; rev:1;) alert tcp $HOME_NET any -> [92.248.135.6] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208019; rev:1;) alert tcp $HOME_NET any -> [46.250.3.215] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208020; rev:1;) alert tcp $HOME_NET any -> [5.2.205.126] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208021; rev:1;) alert tcp $HOME_NET any -> [77.121.83.134] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208022; rev:1;) alert tcp $HOME_NET any -> [107.15.99.91] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208023; rev:1;) alert tcp $HOME_NET any -> [109.104.165.232] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208024; rev:1;) alert tcp $HOME_NET any -> [46.211.23.222] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208025; rev:1;) alert tcp $HOME_NET any -> [163.53.247.37] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208026; rev:1;) alert tcp $HOME_NET any -> [163.53.247.37] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208027; rev:1;) alert tcp $HOME_NET any -> [74.139.176.131] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208028; rev:1;) alert tcp $HOME_NET any -> [77.246.145.134] 443 (msg:"SSLBL: Traffic to malicious host (likely FindPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208029; rev:1;) alert tcp $HOME_NET any -> [178.166.229.61] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208030; rev:1;) alert tcp $HOME_NET any -> [62.75.167.188] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208031; rev:1;) alert tcp $HOME_NET any -> [217.73.93.77] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208032; rev:1;) alert tcp $HOME_NET any -> [89.41.173.221] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208033; rev:1;) alert tcp $HOME_NET any -> [89.41.173.221] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208034; rev:1;) alert tcp $HOME_NET any -> [82.79.179.30] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208035; rev:1;) alert tcp $HOME_NET any -> [89.207.129.95] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208036; rev:1;) alert tcp $HOME_NET any -> [185.82.202.73] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208037; rev:1;) alert tcp $HOME_NET any -> [46.43.224.57] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208038; rev:1;) alert tcp $HOME_NET any -> [5.105.57.242] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208039; rev:1;) alert tcp $HOME_NET any -> [5.144.76.135] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208040; rev:1;) alert tcp $HOME_NET any -> [92.114.125.172] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208041; rev:1;) alert tcp $HOME_NET any -> [176.99.12.194] 443 (msg:"SSLBL: Traffic to malicious host (likely FindPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208042; rev:1;) alert tcp $HOME_NET any -> [91.200.14.87] 443 (msg:"SSLBL: Traffic to malicious host (likely FindPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208043; rev:1;) alert tcp $HOME_NET any -> [176.31.69.78] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208044; rev:1;) alert tcp $HOME_NET any -> [176.31.69.78] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208045; rev:1;) alert tcp $HOME_NET any -> [23.92.221.82] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208046; rev:1;) alert tcp $HOME_NET any -> [23.92.221.82] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208047; rev:1;) alert tcp $HOME_NET any -> [95.84.35.196] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208048; rev:1;) alert tcp $HOME_NET any -> [46.185.23.169] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208049; rev:1;) alert tcp $HOME_NET any -> [5.13.190.196] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208050; rev:1;) alert tcp $HOME_NET any -> [185.31.163.136] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208051; rev:1;) alert tcp $HOME_NET any -> [31.170.107.240] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208052; rev:1;) alert tcp $HOME_NET any -> [213.202.214.141] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208053; rev:1;) alert tcp $HOME_NET any -> [213.202.214.141] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208054; rev:1;) alert tcp $HOME_NET any -> [85.214.152.31] 4438 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208055; rev:1;) alert tcp $HOME_NET any -> [109.200.148.114] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208056; rev:1;) alert tcp $HOME_NET any -> [189.220.184.112] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208057; rev:1;) alert tcp $HOME_NET any -> [85.214.71.240] 4438 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208058; rev:1;) alert tcp $HOME_NET any -> [178.234.113.102] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208059; rev:1;) alert tcp $HOME_NET any -> [77.108.234.90] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208060; rev:1;) alert tcp $HOME_NET any -> [185.97.253.55] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208061; rev:1;) alert tcp $HOME_NET any -> [5.15.233.255] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208062; rev:1;) alert tcp $HOME_NET any -> [85.173.178.10] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208063; rev:1;) alert tcp $HOME_NET any -> [176.104.102.59] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208064; rev:1;) alert tcp $HOME_NET any -> [89.136.78.110] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208065; rev:1;) alert tcp $HOME_NET any -> [194.44.26.169] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208066; rev:1;) alert tcp $HOME_NET any -> [46.0.105.129] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208067; rev:1;) alert tcp $HOME_NET any -> [144.76.251.60] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208068; rev:1;) alert tcp $HOME_NET any -> [37.115.77.215] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208069; rev:1;) alert tcp $HOME_NET any -> [124.219.79.244] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208070; rev:1;) alert tcp $HOME_NET any -> [31.207.177.127] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208071; rev:1;) alert tcp $HOME_NET any -> [185.25.49.119] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208072; rev:1;) alert tcp $HOME_NET any -> [182.18.182.20] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208073; rev:1;) alert tcp $HOME_NET any -> [95.154.203.249] 4438 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208074; rev:1;) alert tcp $HOME_NET any -> [212.3.104.250] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208075; rev:1;) alert tcp $HOME_NET any -> [178.150.114.140] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208076; rev:1;) alert tcp $HOME_NET any -> [185.87.51.64] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208077; rev:1;) alert tcp $HOME_NET any -> [5.248.156.162] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208078; rev:1;) alert tcp $HOME_NET any -> [89.32.145.12] 8443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208079; rev:1;) alert tcp $HOME_NET any -> [178.211.178.213] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208080; rev:1;) alert tcp $HOME_NET any -> [185.10.56.111] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208081; rev:1;) alert tcp $HOME_NET any -> [185.10.56.115] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208082; rev:1;) alert tcp $HOME_NET any -> [185.10.56.111] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208083; rev:1;) alert tcp $HOME_NET any -> [188.232.142.90] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208084; rev:1;) alert tcp $HOME_NET any -> [178.44.126.88] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208085; rev:1;) alert tcp $HOME_NET any -> [94.45.140.60] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208086; rev:1;) alert tcp $HOME_NET any -> [95.67.46.154] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208087; rev:1;) alert tcp $HOME_NET any -> [89.32.40.194] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208088; rev:1;) alert tcp $HOME_NET any -> [178.54.182.27] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208089; rev:1;) alert tcp $HOME_NET any -> [91.142.221.195] 5445 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208090; rev:1;) alert tcp $HOME_NET any -> [50.83.40.3] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208091; rev:1;) alert tcp $HOME_NET any -> [188.209.103.249] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208092; rev:1;) alert tcp $HOME_NET any -> [89.43.212.203] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208093; rev:1;) alert tcp $HOME_NET any -> [5.15.201.13] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208094; rev:1;) alert tcp $HOME_NET any -> [46.211.80.140] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208095; rev:1;) alert tcp $HOME_NET any -> [5.44.100.157] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208096; rev:1;) alert tcp $HOME_NET any -> [178.207.86.183] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208097; rev:1;) alert tcp $HOME_NET any -> [173.45.192.173] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208098; rev:1;) alert tcp $HOME_NET any -> [50.30.44.74] 443 (msg:"SSLBL: Traffic to malicious host (likely Shifu C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208099; rev:1;) alert tcp $HOME_NET any -> [163.53.247.75] 443 (msg:"SSLBL: Traffic to malicious host (likely Shifu C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208100; rev:1;) alert tcp $HOME_NET any -> [31.170.130.120] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208101; rev:1;) alert tcp $HOME_NET any -> [95.105.36.219] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208102; rev:1;) alert tcp $HOME_NET any -> [217.12.218.99] 443 (msg:"SSLBL: Traffic to malicious host (likely Shifu C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208103; rev:1;) alert tcp $HOME_NET any -> [46.211.60.80] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208104; rev:1;) alert tcp $HOME_NET any -> [46.98.28.94] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208105; rev:1;) alert tcp $HOME_NET any -> [77.121.161.66] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208106; rev:1;) alert tcp $HOME_NET any -> [176.116.219.35] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208107; rev:1;) alert tcp $HOME_NET any -> [163.53.247.79] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208108; rev:1;) alert tcp $HOME_NET any -> [176.123.29.23] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208109; rev:1;) alert tcp $HOME_NET any -> [176.123.29.23] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208110; rev:1;) alert tcp $HOME_NET any -> [46.146.34.254] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208111; rev:1;) alert tcp $HOME_NET any -> [92.38.98.69] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208112; rev:1;) alert tcp $HOME_NET any -> [109.87.176.87] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208113; rev:1;) alert tcp $HOME_NET any -> [68.169.54.179] 6446 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208114; rev:1;) alert tcp $HOME_NET any -> [91.237.165.175] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208115; rev:1;) alert tcp $HOME_NET any -> [46.50.179.195] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208116; rev:1;) alert tcp $HOME_NET any -> [188.190.79.185] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208117; rev:1;) alert tcp $HOME_NET any -> [46.148.176.222] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208118; rev:1;) alert tcp $HOME_NET any -> [77.122.184.254] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208119; rev:1;) alert tcp $HOME_NET any -> [77.93.52.212] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208120; rev:1;) alert tcp $HOME_NET any -> [46.174.246.236] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208121; rev:1;) alert tcp $HOME_NET any -> [75.99.13.123] 8443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208122; rev:1;) alert tcp $HOME_NET any -> [5.164.229.40] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208123; rev:1;) alert tcp $HOME_NET any -> [89.163.134.221] 443 (msg:"SSLBL: Traffic to malicious host (likely VMZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208124; rev:1;) alert tcp $HOME_NET any -> [178.166.249.241] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208125; rev:1;) alert tcp $HOME_NET any -> [89.189.174.19] 444 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208126; rev:1;) alert tcp $HOME_NET any -> [221.132.35.56] 8843 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208127; rev:1;) alert tcp $HOME_NET any -> [78.142.18.68] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208128; rev:1;) alert tcp $HOME_NET any -> [212.83.171.2] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208129; rev:1;) alert tcp $HOME_NET any -> [176.104.32.207] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208130; rev:1;) alert tcp $HOME_NET any -> [134.249.54.24] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208131; rev:1;) alert tcp $HOME_NET any -> [85.238.101.24] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208132; rev:1;) alert tcp $HOME_NET any -> [5.248.51.145] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208133; rev:1;) alert tcp $HOME_NET any -> [5.14.212.139] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208134; rev:1;) alert tcp $HOME_NET any -> [49.50.66.60] 443 (msg:"SSLBL: Traffic to malicious host (likely Shifu C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208135; rev:1;) alert tcp $HOME_NET any -> [178.137.224.117] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208136; rev:1;) alert tcp $HOME_NET any -> [213.111.238.98] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208137; rev:1;) alert tcp $HOME_NET any -> [89.108.71.148] 8843 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208138; rev:1;) alert tcp $HOME_NET any -> [62.129.240.74] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208139; rev:1;) alert tcp $HOME_NET any -> [185.14.30.243] 443 (msg:"SSLBL: Traffic to malicious host (likely Retefe C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208140; rev:1;) alert tcp $HOME_NET any -> [89.185.15.235] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208141; rev:1;) alert tcp $HOME_NET any -> [82.146.34.197] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208142; rev:1;) alert tcp $HOME_NET any -> [79.114.28.168] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208143; rev:1;) alert tcp $HOME_NET any -> [128.199.239.142] 8843 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208144; rev:1;) alert tcp $HOME_NET any -> [116.100.36.175] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208145; rev:1;) alert tcp $HOME_NET any -> [24.70.124.49] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208146; rev:1;) alert tcp $HOME_NET any -> [46.173.94.191] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208147; rev:1;) alert tcp $HOME_NET any -> [163.53.247.20] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208148; rev:1;) alert tcp $HOME_NET any -> [188.127.237.117] 443 (msg:"SSLBL: Traffic to malicious host (likely ProxyChanger C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208149; rev:1;) alert tcp $HOME_NET any -> [93.79.244.245] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208150; rev:1;) alert tcp $HOME_NET any -> [1.93.0.224] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208151; rev:1;) alert tcp $HOME_NET any -> [31.135.231.50] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208152; rev:1;) alert tcp $HOME_NET any -> [178.167.92.223] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208153; rev:1;) alert tcp $HOME_NET any -> [92.255.219.49] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208154; rev:1;) alert tcp $HOME_NET any -> [43.251.159.9] 443 (msg:"SSLBL: Traffic to malicious host (likely Shifu C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208155; rev:1;) alert tcp $HOME_NET any -> [93.113.176.105] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208156; rev:1;) alert tcp $HOME_NET any -> [178.76.214.86] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208157; rev:1;) alert tcp $HOME_NET any -> [89.252.60.48] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208158; rev:1;) alert tcp $HOME_NET any -> [128.199.122.196] 6446 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208159; rev:1;) alert tcp $HOME_NET any -> [195.225.228.156] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208160; rev:1;) alert tcp $HOME_NET any -> [37.115.15.172] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208161; rev:1;) alert tcp $HOME_NET any -> [31.41.44.32] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208162; rev:1;) alert tcp $HOME_NET any -> [95.211.188.202] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208163; rev:1;) alert tcp $HOME_NET any -> [93.77.4.198] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208164; rev:1;) alert tcp $HOME_NET any -> [108.166.178.106] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208165; rev:1;) alert tcp $HOME_NET any -> [5.8.66.36] 443 (msg:"SSLBL: Traffic to malicious host (likely Shifu C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208166; rev:1;) alert tcp $HOME_NET any -> [5.135.42.140] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208167; rev:1;) alert tcp $HOME_NET any -> [75.126.60.251] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208168; rev:1;) alert tcp $HOME_NET any -> [199.217.113.235] 443 (msg:"SSLBL: Traffic to malicious host (likely Downloder-Bot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208169; rev:1;) alert tcp $HOME_NET any -> [5.8.60.194] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208170; rev:1;) alert tcp $HOME_NET any -> [91.230.211.206] 443 (msg:"SSLBL: Traffic to malicious host (likely ProxyChanger C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208171; rev:1;) alert tcp $HOME_NET any -> [173.65.73.254] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208172; rev:1;) alert tcp $HOME_NET any -> [94.45.148.60] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208173; rev:1;) alert tcp $HOME_NET any -> [62.22.91.92] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208174; rev:1;) alert tcp $HOME_NET any -> [185.97.253.62] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208175; rev:1;) alert tcp $HOME_NET any -> [202.129.57.130] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208176; rev:1;) alert tcp $HOME_NET any -> [108.166.178.146] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208177; rev:1;) alert tcp $HOME_NET any -> [83.218.228.46] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208178; rev:1;) alert tcp $HOME_NET any -> [91.204.113.136] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208179; rev:1;) alert tcp $HOME_NET any -> [69.64.50.99] 443 (msg:"SSLBL: Traffic to malicious host (likely Shifu C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208180; rev:1;) alert tcp $HOME_NET any -> [31.129.95.173] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208181; rev:1;) alert tcp $HOME_NET any -> [69.64.59.144] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208182; rev:1;) alert tcp $HOME_NET any -> [5.187.4.183] 473 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208183; rev:1;) alert tcp $HOME_NET any -> [74.86.70.102] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208184; rev:1;) alert tcp $HOME_NET any -> [78.129.153.5] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208185; rev:1;) alert tcp $HOME_NET any -> [82.146.59.109] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208186; rev:1;) alert tcp $HOME_NET any -> [188.120.250.62] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208187; rev:1;) alert tcp $HOME_NET any -> [5.8.60.90] 443 (msg:"SSLBL: Traffic to malicious host (likely Shifu C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208188; rev:1;) alert tcp $HOME_NET any -> [62.102.249.157] 843 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208189; rev:1;) alert tcp $HOME_NET any -> [68.168.100.232] 6446 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208190; rev:1;) alert tcp $HOME_NET any -> [46.37.1.88] 473 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208191; rev:1;) alert tcp $HOME_NET any -> [91.226.8.36] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208192; rev:1;) alert tcp $HOME_NET any -> [198.74.58.153] 5445 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208193; rev:1;) alert tcp $HOME_NET any -> [103.251.90.43] 5445 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208194; rev:1;) alert tcp $HOME_NET any -> [188.65.211.209] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208195; rev:1;) alert tcp $HOME_NET any -> [119.47.112.227] 473 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208196; rev:1;) alert tcp $HOME_NET any -> [198.50.205.130] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208197; rev:1;) alert tcp $HOME_NET any -> [31.41.44.147] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208198; rev:1;) alert tcp $HOME_NET any -> [188.166.250.20] 443 (msg:"SSLBL: Traffic to malicious host (likely Shifu C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208199; rev:1;) alert tcp $HOME_NET any -> [107.170.237.112] 473 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208200; rev:1;) alert tcp $HOME_NET any -> [185.14.29.96] 443 (msg:"SSLBL: Traffic to malicious host (likely Retefe C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208201; rev:1;) alert tcp $HOME_NET any -> [106.187.38.36] 473 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208202; rev:1;) alert tcp $HOME_NET any -> [157.252.245.49] 473 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208203; rev:1;) alert tcp $HOME_NET any -> [185.26.120.140] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208204; rev:1;) alert tcp $HOME_NET any -> [213.159.214.156] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208205; rev:1;) alert tcp $HOME_NET any -> [51.254.140.74] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208206; rev:1;) alert tcp $HOME_NET any -> [185.24.233.212] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208207; rev:1;) alert tcp $HOME_NET any -> [185.24.233.212] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208208; rev:1;) alert tcp $HOME_NET any -> [185.114.22.218] 443 (msg:"SSLBL: Traffic to malicious host (likely VMZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208209; rev:1;) alert tcp $HOME_NET any -> [45.55.136.31] 473 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208210; rev:1;) alert tcp $HOME_NET any -> [37.187.87.228] 473 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208211; rev:1;) alert tcp $HOME_NET any -> [93.185.75.21] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208212; rev:1;) alert tcp $HOME_NET any -> [193.169.86.130] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208213; rev:1;) alert tcp $HOME_NET any -> [104.130.17.100] 443 (msg:"SSLBL: Traffic to malicious host (likely URLzone C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208214; rev:1;) alert tcp $HOME_NET any -> [89.32.145.12] 4483 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208215; rev:1;) alert tcp $HOME_NET any -> [38.84.132.172] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208216; rev:1;) alert tcp $HOME_NET any -> [212.154.175.3] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208217; rev:1;) alert tcp $HOME_NET any -> [93.171.159.109] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208218; rev:1;) alert tcp $HOME_NET any -> [109.120.155.254] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208219; rev:1;) alert tcp $HOME_NET any -> [78.46.30.43] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208220; rev:1;) alert tcp $HOME_NET any -> [185.24.219.202] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208221; rev:1;) alert tcp $HOME_NET any -> [149.210.180.13] 4483 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208222; rev:1;) alert tcp $HOME_NET any -> [89.248.164.58] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208223; rev:1;) alert tcp $HOME_NET any -> [31.184.196.83] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208224; rev:1;) alert tcp $HOME_NET any -> [77.221.144.118] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208225; rev:1;) alert tcp $HOME_NET any -> [185.4.75.9] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208226; rev:1;) alert tcp $HOME_NET any -> [93.170.128.75] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208227; rev:1;) alert tcp $HOME_NET any -> [5.8.60.15] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208228; rev:1;) alert tcp $HOME_NET any -> [62.213.67.152] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208229; rev:1;) alert tcp $HOME_NET any -> [86.105.33.102] 1443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208230; rev:1;) alert tcp $HOME_NET any -> [188.65.211.205] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208231; rev:1;) alert tcp $HOME_NET any -> [185.82.202.101] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208232; rev:1;) alert tcp $HOME_NET any -> [185.82.202.101] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208233; rev:1;) alert tcp $HOME_NET any -> [146.148.124.166] 80 (msg:"SSLBL: Traffic to malicious host (likely Sinkhole traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208234; rev:1;) alert tcp $HOME_NET any -> [198.61.187.234] 4483 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208235; rev:1;) alert tcp $HOME_NET any -> [212.109.220.249] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208236; rev:1;) alert tcp $HOME_NET any -> [51.254.139.49] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208237; rev:1;) alert tcp $HOME_NET any -> [195.251.250.37] 448 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208238; rev:1;) alert tcp $HOME_NET any -> [92.114.92.104] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208239; rev:1;) alert tcp $HOME_NET any -> [95.163.107.42] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208240; rev:1;) alert tcp $HOME_NET any -> [188.225.74.109] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208241; rev:1;) alert tcp $HOME_NET any -> [87.106.18.216] 4483 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208242; rev:1;) alert tcp $HOME_NET any -> [46.30.42.105] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208243; rev:1;) alert tcp $HOME_NET any -> [37.128.132.96] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208244; rev:1;) alert tcp $HOME_NET any -> [113.53.234.218] 448 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208245; rev:1;) alert tcp $HOME_NET any -> [84.246.226.211] 448 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208246; rev:1;) alert tcp $HOME_NET any -> [188.225.74.44] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208247; rev:1;) alert tcp $HOME_NET any -> [178.208.77.10] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208248; rev:1;) alert tcp $HOME_NET any -> [178.208.77.10] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208249; rev:1;) alert tcp $HOME_NET any -> [185.75.56.137] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208250; rev:1;) alert tcp $HOME_NET any -> [185.65.246.242] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208251; rev:1;) alert tcp $HOME_NET any -> [46.30.45.203] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208252; rev:1;) alert tcp $HOME_NET any -> [185.26.120.78] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208253; rev:1;) alert tcp $HOME_NET any -> [50.30.36.98] 443 (msg:"SSLBL: Traffic to malicious host (likely Shifu C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208254; rev:1;) alert tcp $HOME_NET any -> [188.225.72.25] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208255; rev:1;) alert tcp $HOME_NET any -> [92.51.129.33] 4483 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208256; rev:1;) alert tcp $HOME_NET any -> [109.120.156.217] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208257; rev:1;) alert tcp $HOME_NET any -> [62.109.20.77] 443 (msg:"SSLBL: Traffic to malicious host (likely Teslacrypt C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208258; rev:1;) alert tcp $HOME_NET any -> [82.118.24.167] 4483 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208259; rev:1;) alert tcp $HOME_NET any -> [136.243.237.218] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208260; rev:1;) alert tcp $HOME_NET any -> [88.151.246.80] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208261; rev:1;) alert tcp $HOME_NET any -> [87.249.215.197] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208262; rev:1;) alert tcp $HOME_NET any -> [82.146.40.76] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208263; rev:1;) alert tcp $HOME_NET any -> [188.40.227.39] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208264; rev:1;) alert tcp $HOME_NET any -> [188.40.227.39] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208265; rev:1;) alert tcp $HOME_NET any -> [46.30.41.30] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208266; rev:1;) alert tcp $HOME_NET any -> [50.7.202.204] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208267; rev:1;) alert tcp $HOME_NET any -> [194.31.59.42] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208268; rev:1;) alert tcp $HOME_NET any -> [51.254.61.46] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208269; rev:1;) alert tcp $HOME_NET any -> [185.22.233.47] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208270; rev:1;) alert tcp $HOME_NET any -> [80.82.64.29] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208271; rev:1;) alert tcp $HOME_NET any -> [185.75.56.133] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208272; rev:1;) alert tcp $HOME_NET any -> [95.215.108.70] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208273; rev:1;) alert tcp $HOME_NET any -> [185.113.223.239] 443 (msg:"SSLBL: Traffic to malicious host (likely VMZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208274; rev:1;) alert tcp $HOME_NET any -> [62.75.195.209] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208275; rev:1;) alert tcp $HOME_NET any -> [93.179.69.122] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208276; rev:1;) alert tcp $HOME_NET any -> [5.1.82.140] 443 (msg:"SSLBL: Traffic to malicious host (likely VMZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208277; rev:1;) alert tcp $HOME_NET any -> [193.218.145.184] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208278; rev:1;) alert tcp $HOME_NET any -> [5.34.181.13] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208279; rev:1;) alert tcp $HOME_NET any -> [185.86.79.80] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208280; rev:1;) alert tcp $HOME_NET any -> [178.63.192.245] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208281; rev:1;) alert tcp $HOME_NET any -> [185.82.200.100] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208282; rev:1;) alert tcp $HOME_NET any -> [94.103.80.249] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208283; rev:1;) alert tcp $HOME_NET any -> [95.173.183.138] 443 (msg:"SSLBL: Traffic to malicious host (likely VMZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208284; rev:1;) alert tcp $HOME_NET any -> [107.161.188.203] 8443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208285; rev:1;) alert tcp $HOME_NET any -> [185.74.252.131] 443 (msg:"SSLBL: Traffic to malicious host (likely Shifu C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208286; rev:1;) alert tcp $HOME_NET any -> [78.46.236.9] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208287; rev:1;) alert tcp $HOME_NET any -> [94.242.224.207] 443 (msg:"SSLBL: Traffic to malicious host (likely VMZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208288; rev:1;) alert tcp $HOME_NET any -> [109.120.155.159] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208289; rev:1;) alert tcp $HOME_NET any -> [191.101.21.10] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208290; rev:1;) alert tcp $HOME_NET any -> [89.33.64.105] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208291; rev:1;) alert tcp $HOME_NET any -> [46.166.172.96] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208292; rev:1;) alert tcp $HOME_NET any -> [95.143.198.13] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208293; rev:1;) alert tcp $HOME_NET any -> [95.143.198.13] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208294; rev:1;) alert tcp $HOME_NET any -> [5.8.61.10] 443 (msg:"SSLBL: Traffic to malicious host (likely Shifu C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208295; rev:1;) alert tcp $HOME_NET any -> [94.41.203.23] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208296; rev:1;) alert tcp $HOME_NET any -> [93.179.69.118] 443 (msg:"SSLBL: Traffic to malicious host (likely FindPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208297; rev:1;) alert tcp $HOME_NET any -> [93.76.76.69] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208298; rev:1;) alert tcp $HOME_NET any -> [50.7.246.122] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208299; rev:1;) alert tcp $HOME_NET any -> [178.20.227.208] 443 (msg:"SSLBL: Traffic to malicious host (likely VMZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208300; rev:1;) alert tcp $HOME_NET any -> [37.0.125.106] 443 (msg:"SSLBL: Traffic to malicious host (likely Rovnix C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208301; rev:1;) alert tcp $HOME_NET any -> [37.0.125.106] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208302; rev:1;) alert tcp $HOME_NET any -> [81.22.130.97] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208303; rev:1;) alert tcp $HOME_NET any -> [176.113.149.167] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208304; rev:1;) alert tcp $HOME_NET any -> [176.113.149.167] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208305; rev:1;) alert tcp $HOME_NET any -> [46.20.33.67] 1031 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208306; rev:1;) alert tcp $HOME_NET any -> [37.229.248.188] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208307; rev:1;) alert tcp $HOME_NET any -> [89.65.63.95] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208308; rev:1;) alert tcp $HOME_NET any -> [188.190.220.74] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208309; rev:1;) alert tcp $HOME_NET any -> [46.98.198.6] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208310; rev:1;) alert tcp $HOME_NET any -> [94.76.127.113] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208311; rev:1;) alert tcp $HOME_NET any -> [94.76.127.113] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208312; rev:1;) alert tcp $HOME_NET any -> [95.169.150.39] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208313; rev:1;) alert tcp $HOME_NET any -> [93.171.158.209] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208314; rev:1;) alert tcp $HOME_NET any -> [46.161.40.109] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208315; rev:1;) alert tcp $HOME_NET any -> [178.151.116.140] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208316; rev:1;) alert tcp $HOME_NET any -> [37.57.240.152] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208317; rev:1;) alert tcp $HOME_NET any -> [185.66.218.2] 443 (msg:"SSLBL: Traffic to malicious host (likely Rovnix C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208318; rev:1;) alert tcp $HOME_NET any -> [46.174.241.113] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208319; rev:1;) alert tcp $HOME_NET any -> [46.98.228.56] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208320; rev:1;) alert tcp $HOME_NET any -> [46.46.90.65] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208321; rev:1;) alert tcp $HOME_NET any -> [134.249.43.14] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208322; rev:1;) alert tcp $HOME_NET any -> [134.249.43.14] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208323; rev:1;) alert tcp $HOME_NET any -> [46.172.248.90] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208324; rev:1;) alert tcp $HOME_NET any -> [176.113.233.228] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208325; rev:1;) alert tcp $HOME_NET any -> [194.1.156.96] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208326; rev:1;) alert tcp $HOME_NET any -> [158.181.229.159] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208327; rev:1;) alert tcp $HOME_NET any -> [91.214.209.193] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208328; rev:1;) alert tcp $HOME_NET any -> [194.79.60.87] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208329; rev:1;) alert tcp $HOME_NET any -> [93.79.220.228] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208330; rev:1;) alert tcp $HOME_NET any -> [46.35.240.81] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208331; rev:1;) alert tcp $HOME_NET any -> [193.189.127.121] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208332; rev:1;) alert tcp $HOME_NET any -> [109.251.126.134] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208333; rev:1;) alert tcp $HOME_NET any -> [46.151.252.174] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208334; rev:1;) alert tcp $HOME_NET any -> [58.176.100.75] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208335; rev:1;) alert tcp $HOME_NET any -> [93.76.64.117] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208336; rev:1;) alert tcp $HOME_NET any -> [176.98.20.110] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208337; rev:1;) alert tcp $HOME_NET any -> [79.113.93.158] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208338; rev:1;) alert tcp $HOME_NET any -> [89.185.29.54] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208339; rev:1;) alert tcp $HOME_NET any -> [5.39.222.172] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208340; rev:1;) alert tcp $HOME_NET any -> [31.128.83.65] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208341; rev:1;) alert tcp $HOME_NET any -> [37.229.24.30] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208342; rev:1;) alert tcp $HOME_NET any -> [62.213.67.250] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208343; rev:1;) alert tcp $HOME_NET any -> [176.102.203.178] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208344; rev:1;) alert tcp $HOME_NET any -> [31.135.118.149] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208345; rev:1;) alert tcp $HOME_NET any -> [46.250.31.148] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208346; rev:1;) alert tcp $HOME_NET any -> [176.73.13.72] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208347; rev:1;) alert tcp $HOME_NET any -> [176.104.24.228] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208348; rev:1;) alert tcp $HOME_NET any -> [176.104.24.228] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208349; rev:1;) alert tcp $HOME_NET any -> [91.239.104.131] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208350; rev:1;) alert tcp $HOME_NET any -> [46.33.250.182] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208351; rev:1;) alert tcp $HOME_NET any -> [149.202.114.6] 443 (msg:"SSLBL: Traffic to malicious host (likely VMZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208352; rev:1;) alert tcp $HOME_NET any -> [169.53.155.228] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208353; rev:1;) alert tcp $HOME_NET any -> [80.78.245.185] 3443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208354; rev:1;) alert tcp $HOME_NET any -> [78.30.193.128] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208355; rev:1;) alert tcp $HOME_NET any -> [46.151.250.192] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208356; rev:1;) alert tcp $HOME_NET any -> [46.211.42.123] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208357; rev:1;) alert tcp $HOME_NET any -> [109.162.86.32] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208358; rev:1;) alert tcp $HOME_NET any -> [67.161.171.204] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208359; rev:1;) alert tcp $HOME_NET any -> [178.32.160.71] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208360; rev:1;) alert tcp $HOME_NET any -> [111.118.187.81] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208361; rev:1;) alert tcp $HOME_NET any -> [31.135.122.100] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208362; rev:1;) alert tcp $HOME_NET any -> [113.204.137.55] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208363; rev:1;) alert tcp $HOME_NET any -> [5.149.249.181] 443 (msg:"SSLBL: Traffic to malicious host (likely Shifu C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208364; rev:1;) alert tcp $HOME_NET any -> [134.249.40.43] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208365; rev:1;) alert tcp $HOME_NET any -> [192.0.198.51] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208366; rev:1;) alert tcp $HOME_NET any -> [46.250.27.183] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208367; rev:1;) alert tcp $HOME_NET any -> [46.33.52.21] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208368; rev:1;) alert tcp $HOME_NET any -> [46.118.66.221] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208369; rev:1;) alert tcp $HOME_NET any -> [125.134.125.208] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208370; rev:1;) alert tcp $HOME_NET any -> [185.65.247.66] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208371; rev:1;) alert tcp $HOME_NET any -> [178.32.127.112] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208372; rev:1;) alert tcp $HOME_NET any -> [31.28.27.15] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208373; rev:1;) alert tcp $HOME_NET any -> [91.225.161.21] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208374; rev:1;) alert tcp $HOME_NET any -> [77.109.58.97] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208375; rev:1;) alert tcp $HOME_NET any -> [46.146.2.34] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208376; rev:1;) alert tcp $HOME_NET any -> [46.211.18.203] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208377; rev:1;) alert tcp $HOME_NET any -> [188.0.122.38] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208378; rev:1;) alert tcp $HOME_NET any -> [188.0.122.38] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208379; rev:1;) alert tcp $HOME_NET any -> [46.118.24.111] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208380; rev:1;) alert tcp $HOME_NET any -> [176.99.101.48] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208381; rev:1;) alert tcp $HOME_NET any -> [176.99.101.48] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208382; rev:1;) alert tcp $HOME_NET any -> [212.80.56.118] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208383; rev:1;) alert tcp $HOME_NET any -> [134.249.65.209] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208384; rev:1;) alert tcp $HOME_NET any -> [185.5.175.216] 2027 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208385; rev:1;) alert tcp $HOME_NET any -> [176.8.32.193] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208386; rev:1;) alert tcp $HOME_NET any -> [37.229.150.88] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208387; rev:1;) alert tcp $HOME_NET any -> [188.230.31.190] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208388; rev:1;) alert tcp $HOME_NET any -> [185.5.175.216] 2028 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208389; rev:1;) alert tcp $HOME_NET any -> [62.84.255.35] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208390; rev:1;) alert tcp $HOME_NET any -> [178.151.73.157] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208391; rev:1;) alert tcp $HOME_NET any -> [188.191.235.23] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208392; rev:1;) alert tcp $HOME_NET any -> [134.249.201.60] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208393; rev:1;) alert tcp $HOME_NET any -> [37.229.211.121] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208394; rev:1;) alert tcp $HOME_NET any -> [178.216.225.175] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208395; rev:1;) alert tcp $HOME_NET any -> [46.250.16.255] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208396; rev:1;) alert tcp $HOME_NET any -> [24.122.211.18] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208397; rev:1;) alert tcp $HOME_NET any -> [176.104.75.5] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208398; rev:1;) alert tcp $HOME_NET any -> [176.36.23.31] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208399; rev:1;) alert tcp $HOME_NET any -> [81.162.67.208] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208400; rev:1;) alert tcp $HOME_NET any -> [93.127.119.6] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208401; rev:1;) alert tcp $HOME_NET any -> [93.127.119.6] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208402; rev:1;) alert tcp $HOME_NET any -> [91.225.58.52] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208403; rev:1;) alert tcp $HOME_NET any -> [185.15.208.65] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208404; rev:1;) alert tcp $HOME_NET any -> [85.114.216.12] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208405; rev:1;) alert tcp $HOME_NET any -> [97.82.168.42] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208406; rev:1;) alert tcp $HOME_NET any -> [46.119.173.111] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208407; rev:1;) alert tcp $HOME_NET any -> [46.119.173.111] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208408; rev:1;) alert tcp $HOME_NET any -> [178.158.203.91] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208409; rev:1;) alert tcp $HOME_NET any -> [109.86.210.227] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208410; rev:1;) alert tcp $HOME_NET any -> [195.114.153.231] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208411; rev:1;) alert tcp $HOME_NET any -> [88.198.206.121] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208412; rev:1;) alert tcp $HOME_NET any -> [178.151.24.112] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208413; rev:1;) alert tcp $HOME_NET any -> [93.126.104.254] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208414; rev:1;) alert tcp $HOME_NET any -> [178.158.148.195] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208415; rev:1;) alert tcp $HOME_NET any -> [178.158.148.195] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208416; rev:1;) alert tcp $HOME_NET any -> [31.202.213.206] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208417; rev:1;) alert tcp $HOME_NET any -> [91.239.232.9] 8448 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208418; rev:1;) alert tcp $HOME_NET any -> [5.248.55.58] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208419; rev:1;) alert tcp $HOME_NET any -> [109.120.156.2] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208420; rev:1;) alert tcp $HOME_NET any -> [151.0.13.155] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208421; rev:1;) alert tcp $HOME_NET any -> [46.119.89.198] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208422; rev:1;) alert tcp $HOME_NET any -> [109.200.224.223] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208423; rev:1;) alert tcp $HOME_NET any -> [178.150.184.9] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208424; rev:1;) alert tcp $HOME_NET any -> [188.231.147.199] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208425; rev:1;) alert tcp $HOME_NET any -> [80.78.251.49] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208426; rev:1;) alert tcp $HOME_NET any -> [37.229.220.249] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208427; rev:1;) alert tcp $HOME_NET any -> [176.106.31.227] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208428; rev:1;) alert tcp $HOME_NET any -> [93.76.104.167] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208429; rev:1;) alert tcp $HOME_NET any -> [46.252.214.148] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208430; rev:1;) alert tcp $HOME_NET any -> [185.82.203.157] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208431; rev:1;) alert tcp $HOME_NET any -> [37.115.7.53] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208432; rev:1;) alert tcp $HOME_NET any -> [97.75.107.134] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208433; rev:1;) alert tcp $HOME_NET any -> [185.112.249.93] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208434; rev:1;) alert tcp $HOME_NET any -> [109.162.95.100] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208435; rev:1;) alert tcp $HOME_NET any -> [43.251.158.175] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208436; rev:1;) alert tcp $HOME_NET any -> [178.216.226.16] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208437; rev:1;) alert tcp $HOME_NET any -> [46.119.7.179] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208438; rev:1;) alert tcp $HOME_NET any -> [195.38.117.3] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208439; rev:1;) alert tcp $HOME_NET any -> [46.63.51.190] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208440; rev:1;) alert tcp $HOME_NET any -> [77.121.248.109] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208441; rev:1;) alert tcp $HOME_NET any -> [71.226.78.56] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208442; rev:1;) alert tcp $HOME_NET any -> [5.154.190.191] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208443; rev:1;) alert tcp $HOME_NET any -> [31.41.51.8] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208444; rev:1;) alert tcp $HOME_NET any -> [176.106.2.38] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208445; rev:1;) alert tcp $HOME_NET any -> [176.36.174.59] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208446; rev:1;) alert tcp $HOME_NET any -> [37.57.86.141] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208447; rev:1;) alert tcp $HOME_NET any -> [178.151.161.143] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208448; rev:1;) alert tcp $HOME_NET any -> [46.118.54.10] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208449; rev:1;) alert tcp $HOME_NET any -> [5.248.99.180] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208450; rev:1;) alert tcp $HOME_NET any -> [217.79.184.115] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208451; rev:1;) alert tcp $HOME_NET any -> [31.43.102.34] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208452; rev:1;) alert tcp $HOME_NET any -> [91.201.155.96] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208453; rev:1;) alert tcp $HOME_NET any -> [66.240.183.19] 843 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208454; rev:1;) alert tcp $HOME_NET any -> [5.196.227.51] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208455; rev:1;) alert tcp $HOME_NET any -> [46.250.120.231] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208456; rev:1;) alert tcp $HOME_NET any -> [95.134.255.41] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208457; rev:1;) alert tcp $HOME_NET any -> [78.47.119.85] 543 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208458; rev:1;) alert tcp $HOME_NET any -> [173.71.98.228] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208459; rev:1;) alert tcp $HOME_NET any -> [173.71.98.228] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208460; rev:1;) alert tcp $HOME_NET any -> [31.133.76.115] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208461; rev:1;) alert tcp $HOME_NET any -> [93.170.76.230] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208462; rev:1;) alert tcp $HOME_NET any -> [62.152.36.25] 1443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208463; rev:1;) alert tcp $HOME_NET any -> [217.23.7.121] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208464; rev:1;) alert tcp $HOME_NET any -> [134.249.24.200] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208465; rev:1;) alert tcp $HOME_NET any -> [46.175.76.22] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208466; rev:1;) alert tcp $HOME_NET any -> [31.43.61.24] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208467; rev:1;) alert tcp $HOME_NET any -> [31.131.115.55] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208468; rev:1;) alert tcp $HOME_NET any -> [31.131.115.55] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208469; rev:1;) alert tcp $HOME_NET any -> [91.121.15.225] 1443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208470; rev:1;) alert tcp $HOME_NET any -> [212.115.244.218] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208471; rev:1;) alert tcp $HOME_NET any -> [95.105.249.36] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208472; rev:1;) alert tcp $HOME_NET any -> [95.105.249.36] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208473; rev:1;) alert tcp $HOME_NET any -> [188.42.254.65] 443 (msg:"SSLBL: Traffic to malicious host (likely Shifu C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208474; rev:1;) alert tcp $HOME_NET any -> [46.118.158.172] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208475; rev:1;) alert tcp $HOME_NET any -> [46.118.113.3] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208476; rev:1;) alert tcp $HOME_NET any -> [178.54.238.73] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208477; rev:1;) alert tcp $HOME_NET any -> [74.119.194.18] 448 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208478; rev:1;) alert tcp $HOME_NET any -> [50.7.202.202] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208479; rev:1;) alert tcp $HOME_NET any -> [176.114.47.28] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208480; rev:1;) alert tcp $HOME_NET any -> [141.0.177.142] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208481; rev:1;) alert tcp $HOME_NET any -> [87.76.55.248] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208482; rev:1;) alert tcp $HOME_NET any -> [77.121.173.27] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208483; rev:1;) alert tcp $HOME_NET any -> [213.111.149.163] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208484; rev:1;) alert tcp $HOME_NET any -> [201.175.17.35] 448 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208485; rev:1;) alert tcp $HOME_NET any -> [64.58.156.132] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208486; rev:1;) alert tcp $HOME_NET any -> [213.130.8.151] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208487; rev:1;) alert tcp $HOME_NET any -> [46.160.66.218] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208488; rev:1;) alert tcp $HOME_NET any -> [14.33.25.64] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208489; rev:1;) alert tcp $HOME_NET any -> [195.154.184.240] 1443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208490; rev:1;) alert tcp $HOME_NET any -> [195.154.184.240] 1443 (msg:"SSLBL: Traffic to malicious host (likely Dridex traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208491; rev:1;) alert tcp $HOME_NET any -> [188.190.76.247] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208492; rev:1;) alert tcp $HOME_NET any -> [91.121.82.113] 1443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208493; rev:1;) alert tcp $HOME_NET any -> [62.16.38.131] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208494; rev:1;) alert tcp $HOME_NET any -> [185.53.130.244] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208495; rev:1;) alert tcp $HOME_NET any -> [109.87.187.170] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208496; rev:1;) alert tcp $HOME_NET any -> [109.87.187.170] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208497; rev:1;) alert tcp $HOME_NET any -> [89.33.64.175] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208498; rev:1;) alert tcp $HOME_NET any -> [89.185.12.238] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208499; rev:1;) alert tcp $HOME_NET any -> [89.185.12.238] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208500; rev:1;) alert tcp $HOME_NET any -> [46.10.155.98] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208501; rev:1;) alert tcp $HOME_NET any -> [109.234.34.186] 443 (msg:"SSLBL: Traffic to malicious host (likely Retefe C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208502; rev:1;) alert tcp $HOME_NET any -> [119.81.87.154] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208503; rev:1;) alert tcp $HOME_NET any -> [103.252.85.146] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208504; rev:1;) alert tcp $HOME_NET any -> [88.226.196.239] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208505; rev:1;) alert tcp $HOME_NET any -> [151.0.52.255] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208506; rev:1;) alert tcp $HOME_NET any -> [176.8.78.178] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208507; rev:1;) alert tcp $HOME_NET any -> [176.113.235.26] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208508; rev:1;) alert tcp $HOME_NET any -> [188.40.170.155] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208509; rev:1;) alert tcp $HOME_NET any -> [188.40.170.155] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208510; rev:1;) alert tcp $HOME_NET any -> [212.47.196.149] 543 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208511; rev:1;) alert tcp $HOME_NET any -> [80.252.250.149] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208512; rev:1;) alert tcp $HOME_NET any -> [91.221.36.218] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208513; rev:1;) alert tcp $HOME_NET any -> [188.138.71.67] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208514; rev:1;) alert tcp $HOME_NET any -> [176.110.22.247] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208515; rev:1;) alert tcp $HOME_NET any -> [176.110.22.247] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208516; rev:1;) alert tcp $HOME_NET any -> [80.245.117.198] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208517; rev:1;) alert tcp $HOME_NET any -> [80.247.233.18] 1443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208518; rev:1;) alert tcp $HOME_NET any -> [91.231.84.120] 448 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208519; rev:1;) alert tcp $HOME_NET any -> [148.251.157.148] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208520; rev:1;) alert tcp $HOME_NET any -> [194.58.111.157] 448 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208521; rev:1;) alert tcp $HOME_NET any -> [37.1.17.1] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208522; rev:1;) alert tcp $HOME_NET any -> [93.170.155.207] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208523; rev:1;) alert tcp $HOME_NET any -> [78.137.52.175] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208524; rev:1;) alert tcp $HOME_NET any -> [46.36.219.141] 448 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208525; rev:1;) alert tcp $HOME_NET any -> [88.198.25.92] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208526; rev:1;) alert tcp $HOME_NET any -> [78.115.79.21] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208527; rev:1;) alert tcp $HOME_NET any -> [146.185.243.3] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208528; rev:1;) alert tcp $HOME_NET any -> [91.218.231.69] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208529; rev:1;) alert tcp $HOME_NET any -> [91.202.105.30] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208530; rev:1;) alert tcp $HOME_NET any -> [91.202.105.30] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208531; rev:1;) alert tcp $HOME_NET any -> [136.243.219.242] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208532; rev:1;) alert tcp $HOME_NET any -> [109.104.189.67] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208533; rev:1;) alert tcp $HOME_NET any -> [178.137.242.146] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208534; rev:1;) alert tcp $HOME_NET any -> [185.65.244.18] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208535; rev:1;) alert tcp $HOME_NET any -> [93.171.132.5] 743 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208536; rev:1;) alert tcp $HOME_NET any -> [78.46.160.71] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208537; rev:1;) alert tcp $HOME_NET any -> [178.151.89.152] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208538; rev:1;) alert tcp $HOME_NET any -> [144.76.232.59] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208539; rev:1;) alert tcp $HOME_NET any -> [31.131.251.33] 743 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208540; rev:1;) alert tcp $HOME_NET any -> [85.25.199.246] 543 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208541; rev:1;) alert tcp $HOME_NET any -> [93.171.158.199] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208542; rev:1;) alert tcp $HOME_NET any -> [185.83.144.162] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208543; rev:1;) alert tcp $HOME_NET any -> [109.86.230.210] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208544; rev:1;) alert tcp $HOME_NET any -> [68.169.49.213] 448 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208545; rev:1;) alert tcp $HOME_NET any -> [199.241.30.233] 449 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208546; rev:1;) alert tcp $HOME_NET any -> [94.23.110.45] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208547; rev:1;) alert tcp $HOME_NET any -> [162.243.12.14] 449 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208548; rev:1;) alert tcp $HOME_NET any -> [188.93.73.90] 449 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208549; rev:1;) alert tcp $HOME_NET any -> [194.58.96.45] 4543 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208550; rev:1;) alert tcp $HOME_NET any -> [95.163.121.252] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208551; rev:1;) alert tcp $HOME_NET any -> [86.105.18.114] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208552; rev:1;) alert tcp $HOME_NET any -> [91.201.215.46] 443 (msg:"SSLBL: Traffic to malicious host (likely VMZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208553; rev:1;) alert tcp $HOME_NET any -> [188.40.170.157] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208554; rev:1;) alert tcp $HOME_NET any -> [188.40.170.157] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208555; rev:1;) alert tcp $HOME_NET any -> [210.209.89.162] 8080 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208556; rev:1;) alert tcp $HOME_NET any -> [5.178.82.105] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208557; rev:1;) alert tcp $HOME_NET any -> [151.248.123.100] 743 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208558; rev:1;) alert tcp $HOME_NET any -> [91.121.91.221] 1443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208559; rev:1;) alert tcp $HOME_NET any -> [192.199.254.173] 8080 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208560; rev:1;) alert tcp $HOME_NET any -> [151.80.10.66] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208561; rev:1;) alert tcp $HOME_NET any -> [37.123.96.184] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208562; rev:1;) alert tcp $HOME_NET any -> [46.151.52.100] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208563; rev:1;) alert tcp $HOME_NET any -> [178.236.143.5] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208564; rev:1;) alert tcp $HOME_NET any -> [5.196.249.187] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208565; rev:1;) alert tcp $HOME_NET any -> [37.52.123.48] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208566; rev:1;) alert tcp $HOME_NET any -> [109.237.47.9] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208567; rev:1;) alert tcp $HOME_NET any -> [78.47.143.212] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208568; rev:1;) alert tcp $HOME_NET any -> [78.47.248.147] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208569; rev:1;) alert tcp $HOME_NET any -> [81.9.24.250] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208570; rev:1;) alert tcp $HOME_NET any -> [178.151.197.61] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208571; rev:1;) alert tcp $HOME_NET any -> [176.99.6.10] 8443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208572; rev:1;) alert tcp $HOME_NET any -> [176.9.118.201] 449 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208573; rev:1;) alert tcp $HOME_NET any -> [185.39.149.98] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208574; rev:1;) alert tcp $HOME_NET any -> [212.114.109.235] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208575; rev:1;) alert tcp $HOME_NET any -> [176.28.10.253] 8443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208576; rev:1;) alert tcp $HOME_NET any -> [62.210.214.106] 448 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208577; rev:1;) alert tcp $HOME_NET any -> [37.123.101.168] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208578; rev:1;) alert tcp $HOME_NET any -> [109.72.120.184] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208579; rev:1;) alert tcp $HOME_NET any -> [109.72.120.184] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208580; rev:1;) alert tcp $HOME_NET any -> [211.230.11.228] 443 (msg:"SSLBL: Traffic to malicious host (likely VMZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208581; rev:1;) alert tcp $HOME_NET any -> [80.252.246.25] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208582; rev:1;) alert tcp $HOME_NET any -> [46.166.171.83] 9999 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208583; rev:1;) alert tcp $HOME_NET any -> [62.84.253.186] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208584; rev:1;) alert tcp $HOME_NET any -> [46.119.46.122] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208585; rev:1;) alert tcp $HOME_NET any -> [5.1.30.184] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208586; rev:1;) alert tcp $HOME_NET any -> [212.55.84.80] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208587; rev:1;) alert tcp $HOME_NET any -> [69.164.213.85] 1443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208588; rev:1;) alert tcp $HOME_NET any -> [77.121.172.23] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208589; rev:1;) alert tcp $HOME_NET any -> [96.227.129.124] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208590; rev:1;) alert tcp $HOME_NET any -> [178.150.153.18] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208591; rev:1;) alert tcp $HOME_NET any -> [93.171.253.155] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208592; rev:1;) alert tcp $HOME_NET any -> [93.171.253.155] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208593; rev:1;) alert tcp $HOME_NET any -> [87.254.45.100] 1443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208594; rev:1;) alert tcp $HOME_NET any -> [188.226.166.43] 448 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208595; rev:1;) alert tcp $HOME_NET any -> [37.229.13.98] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208596; rev:1;) alert tcp $HOME_NET any -> [5.63.158.48] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208597; rev:1;) alert tcp $HOME_NET any -> [178.32.72.224] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208598; rev:1;) alert tcp $HOME_NET any -> [91.244.9.212] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208599; rev:1;) alert tcp $HOME_NET any -> [46.19.136.211] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208600; rev:1;) alert tcp $HOME_NET any -> [176.111.184.13] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208601; rev:1;) alert tcp $HOME_NET any -> [5.39.52.203] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208602; rev:1;) alert tcp $HOME_NET any -> [118.174.151.27] 943 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208603; rev:1;) alert tcp $HOME_NET any -> [183.81.166.5] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208604; rev:1;) alert tcp $HOME_NET any -> [78.47.139.58] 843 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208605; rev:1;) alert tcp $HOME_NET any -> [78.137.55.55] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208606; rev:1;) alert tcp $HOME_NET any -> [185.14.29.193] 443 (msg:"SSLBL: Traffic to malicious host (likely Retefe C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208607; rev:1;) alert tcp $HOME_NET any -> [178.211.41.175] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208608; rev:1;) alert tcp $HOME_NET any -> [185.62.190.26] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208609; rev:1;) alert tcp $HOME_NET any -> [37.229.222.241] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208610; rev:1;) alert tcp $HOME_NET any -> [195.114.159.190] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208611; rev:1;) alert tcp $HOME_NET any -> [188.40.170.154] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208612; rev:1;) alert tcp $HOME_NET any -> [85.25.238.8] 1443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208613; rev:1;) alert tcp $HOME_NET any -> [31.202.220.140] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208614; rev:1;) alert tcp $HOME_NET any -> [178.20.227.48] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208615; rev:1;) alert tcp $HOME_NET any -> [185.42.15.152] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208616; rev:1;) alert tcp $HOME_NET any -> [188.230.84.45] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208617; rev:1;) alert tcp $HOME_NET any -> [212.92.231.196] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208618; rev:1;) alert tcp $HOME_NET any -> [95.47.28.117] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208619; rev:1;) alert tcp $HOME_NET any -> [185.81.155.103] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208620; rev:1;) alert tcp $HOME_NET any -> [178.136.205.53] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208621; rev:1;) alert tcp $HOME_NET any -> [188.230.15.191] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208622; rev:1;) alert tcp $HOME_NET any -> [93.78.19.128] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208623; rev:1;) alert tcp $HOME_NET any -> [86.105.195.109] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208624; rev:1;) alert tcp $HOME_NET any -> [178.213.187.122] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208625; rev:1;) alert tcp $HOME_NET any -> [76.74.177.209] 8443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208626; rev:1;) alert tcp $HOME_NET any -> [93.188.162.29] 443 (msg:"SSLBL: Traffic to malicious host (likely URLzone C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208627; rev:1;) alert tcp $HOME_NET any -> [87.98.173.211] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208628; rev:1;) alert tcp $HOME_NET any -> [195.169.147.79] 1443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208629; rev:1;) alert tcp $HOME_NET any -> [78.47.182.212] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208630; rev:1;) alert tcp $HOME_NET any -> [185.86.76.80] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208631; rev:1;) alert tcp $HOME_NET any -> [109.254.58.99] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208632; rev:1;) alert tcp $HOME_NET any -> [176.9.143.115] 2443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208633; rev:1;) alert tcp $HOME_NET any -> [5.135.28.108] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208634; rev:1;) alert tcp $HOME_NET any -> [128.135.149.243] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208635; rev:1;) alert tcp $HOME_NET any -> [37.143.11.165] 4443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208636; rev:1;) alert tcp $HOME_NET any -> [185.65.246.199] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208637; rev:1;) alert tcp $HOME_NET any -> [193.13.142.11] 8443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208638; rev:1;) alert tcp $HOME_NET any -> [136.243.14.142] 8443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208639; rev:1;) alert tcp $HOME_NET any -> [87.236.215.158] 8685 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208640; rev:1;) alert tcp $HOME_NET any -> [124.156.129.29] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208641; rev:1;) alert tcp $HOME_NET any -> [94.153.65.249] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208642; rev:1;) alert tcp $HOME_NET any -> [31.210.125.234] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208643; rev:1;) alert tcp $HOME_NET any -> [134.249.238.140] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208644; rev:1;) alert tcp $HOME_NET any -> [134.249.238.140] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208645; rev:1;) alert tcp $HOME_NET any -> [71.14.1.139] 8443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208646; rev:1;) alert tcp $HOME_NET any -> [31.207.196.222] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208647; rev:1;) alert tcp $HOME_NET any -> [213.111.203.203] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208648; rev:1;) alert tcp $HOME_NET any -> [213.111.203.203] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208649; rev:1;) alert tcp $HOME_NET any -> [78.47.28.178] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208650; rev:1;) alert tcp $HOME_NET any -> [94.23.53.23] 2443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208651; rev:1;) alert tcp $HOME_NET any -> [91.226.93.33] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208652; rev:1;) alert tcp $HOME_NET any -> [217.174.105.27] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208653; rev:1;) alert tcp $HOME_NET any -> [78.47.182.215] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208654; rev:1;) alert tcp $HOME_NET any -> [209.40.206.231] 8443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208655; rev:1;) alert tcp $HOME_NET any -> [173.230.130.172] 2443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208656; rev:1;) alert tcp $HOME_NET any -> [78.47.136.47] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208657; rev:1;) alert tcp $HOME_NET any -> [5.135.28.117] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208658; rev:1;) alert tcp $HOME_NET any -> [79.143.191.147] 6443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208659; rev:1;) alert tcp $HOME_NET any -> [103.27.232.165] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208660; rev:1;) alert tcp $HOME_NET any -> [91.196.63.151] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208661; rev:1;) alert tcp $HOME_NET any -> [176.38.106.4] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208662; rev:1;) alert tcp $HOME_NET any -> [188.120.249.231] 8443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208663; rev:1;) alert tcp $HOME_NET any -> [203.151.94.120] 4433 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208664; rev:1;) alert tcp $HOME_NET any -> [70.32.74.108] 7443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208665; rev:1;) alert tcp $HOME_NET any -> [185.12.95.40] 7443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208666; rev:1;) alert tcp $HOME_NET any -> [185.92.221.196] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208667; rev:1;) alert tcp $HOME_NET any -> [87.236.215.151] 80 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208668; rev:1;) alert tcp $HOME_NET any -> [37.115.187.23] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208669; rev:1;) alert tcp $HOME_NET any -> [37.140.195.177] 7443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208670; rev:1;) alert tcp $HOME_NET any -> [212.92.243.65] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208671; rev:1;) alert tcp $HOME_NET any -> [77.122.54.165] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208672; rev:1;) alert tcp $HOME_NET any -> [31.148.219.153] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208673; rev:1;) alert tcp $HOME_NET any -> [77.123.197.14] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208674; rev:1;) alert tcp $HOME_NET any -> [107.170.1.205] 8443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208675; rev:1;) alert tcp $HOME_NET any -> [146.185.128.226] 8443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208676; rev:1;) alert tcp $HOME_NET any -> [31.186.99.250] 8443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208677; rev:1;) alert tcp $HOME_NET any -> [185.91.175.159] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208678; rev:1;) alert tcp $HOME_NET any -> [77.123.202.83] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208679; rev:1;) alert tcp $HOME_NET any -> [178.20.227.49] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208680; rev:1;) alert tcp $HOME_NET any -> [62.240.61.45] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208681; rev:1;) alert tcp $HOME_NET any -> [5.100.249.215] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208682; rev:1;) alert tcp $HOME_NET any -> [80.242.123.144] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208683; rev:1;) alert tcp $HOME_NET any -> [178.32.53.123] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208684; rev:1;) alert tcp $HOME_NET any -> [62.76.191.84] 5443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208685; rev:1;) alert tcp $HOME_NET any -> [134.0.115.157] 8443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208686; rev:1;) alert tcp $HOME_NET any -> [188.190.219.104] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208687; rev:1;) alert tcp $HOME_NET any -> [62.76.44.111] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208688; rev:1;) alert tcp $HOME_NET any -> [144.76.238.214] 4443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208689; rev:1;) alert tcp $HOME_NET any -> [5.254.106.219] 9866 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208690; rev:1;) alert tcp $HOME_NET any -> [94.23.77.155] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208691; rev:1;) alert tcp $HOME_NET any -> [146.185.221.31] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208692; rev:1;) alert tcp $HOME_NET any -> [62.210.214.249] 1443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208693; rev:1;) alert tcp $HOME_NET any -> [216.119.147.87] 2443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208694; rev:1;) alert tcp $HOME_NET any -> [95.163.121.137] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208695; rev:1;) alert tcp $HOME_NET any -> [130.88.148.74] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208696; rev:1;) alert tcp $HOME_NET any -> [178.32.78.173] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208697; rev:1;) alert tcp $HOME_NET any -> [91.207.146.140] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208698; rev:1;) alert tcp $HOME_NET any -> [178.250.247.28] 8443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208699; rev:1;) alert tcp $HOME_NET any -> [91.215.138.108] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208700; rev:1;) alert tcp $HOME_NET any -> [118.69.201.20] 1443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208701; rev:1;) alert tcp $HOME_NET any -> [107.161.27.153] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208702; rev:1;) alert tcp $HOME_NET any -> [77.122.225.133] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208703; rev:1;) alert tcp $HOME_NET any -> [78.47.182.222] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208704; rev:1;) alert tcp $HOME_NET any -> [185.11.247.226] 8443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208705; rev:1;) alert tcp $HOME_NET any -> [78.46.60.131] 4443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208706; rev:1;) alert tcp $HOME_NET any -> [176.31.28.250] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208707; rev:1;) alert tcp $HOME_NET any -> [94.242.58.146] 4433 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208708; rev:1;) alert tcp $HOME_NET any -> [5.105.221.15] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208709; rev:1;) alert tcp $HOME_NET any -> [185.26.113.63] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208710; rev:1;) alert tcp $HOME_NET any -> [5.63.154.228] 5443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208711; rev:1;) alert tcp $HOME_NET any -> [185.15.185.201] 4443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208712; rev:1;) alert tcp $HOME_NET any -> [98.27.145.224] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208713; rev:1;) alert tcp $HOME_NET any -> [151.236.216.254] 2443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208714; rev:1;) alert tcp $HOME_NET any -> [78.47.27.243] 443 (msg:"SSLBL: Traffic to malicious host (likely Teslacrypt C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208715; rev:1;) alert tcp $HOME_NET any -> [91.218.228.25] 8443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208716; rev:1;) alert tcp $HOME_NET any -> [185.91.175.5] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208717; rev:1;) alert tcp $HOME_NET any -> [146.120.110.147] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208718; rev:1;) alert tcp $HOME_NET any -> [46.30.41.153] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208719; rev:1;) alert tcp $HOME_NET any -> [78.47.182.219] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208720; rev:1;) alert tcp $HOME_NET any -> [37.143.15.116] 4433 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208721; rev:1;) alert tcp $HOME_NET any -> [185.91.175.94] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208722; rev:1;) alert tcp $HOME_NET any -> [151.97.243.220] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208723; rev:1;) alert tcp $HOME_NET any -> [159.253.20.116] 4443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208724; rev:1;) alert tcp $HOME_NET any -> [43.249.81.85] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208725; rev:1;) alert tcp $HOME_NET any -> [173.214.162.88] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208726; rev:1;) alert tcp $HOME_NET any -> [91.219.29.148] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208727; rev:1;) alert tcp $HOME_NET any -> [185.42.15.147] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208728; rev:1;) alert tcp $HOME_NET any -> [213.111.138.42] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208729; rev:1;) alert tcp $HOME_NET any -> [185.26.115.13] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208730; rev:1;) alert tcp $HOME_NET any -> [87.117.229.29] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208731; rev:1;) alert tcp $HOME_NET any -> [91.234.24.116] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208732; rev:1;) alert tcp $HOME_NET any -> [185.38.84.59] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208733; rev:1;) alert tcp $HOME_NET any -> [5.39.8.212] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208734; rev:1;) alert tcp $HOME_NET any -> [59.28.198.171] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208735; rev:1;) alert tcp $HOME_NET any -> [134.19.180.78] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208736; rev:1;) alert tcp $HOME_NET any -> [5.44.216.44] 1443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208737; rev:1;) alert tcp $HOME_NET any -> [212.227.89.182] 3443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208738; rev:1;) alert tcp $HOME_NET any -> [95.163.121.138] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208739; rev:1;) alert tcp $HOME_NET any -> [176.31.128.123] 443 (msg:"SSLBL: Traffic to malicious host (likely Bebloh C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208740; rev:1;) alert tcp $HOME_NET any -> [185.9.156.42] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208741; rev:1;) alert tcp $HOME_NET any -> [46.36.217.227] 3443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208742; rev:1;) alert tcp $HOME_NET any -> [46.36.217.227] 3443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208743; rev:1;) alert tcp $HOME_NET any -> [194.28.87.125] 4443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208744; rev:1;) alert tcp $HOME_NET any -> [31.24.30.65] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208745; rev:1;) alert tcp $HOME_NET any -> [185.82.202.20] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208746; rev:1;) alert tcp $HOME_NET any -> [134.249.29.111] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208747; rev:1;) alert tcp $HOME_NET any -> [5.45.123.152] 1443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208748; rev:1;) alert tcp $HOME_NET any -> [104.145.233.121] 8586 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208749; rev:1;) alert tcp $HOME_NET any -> [95.181.178.166] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208750; rev:1;) alert tcp $HOME_NET any -> [89.144.2.148] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208751; rev:1;) alert tcp $HOME_NET any -> [185.82.202.19] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208752; rev:1;) alert tcp $HOME_NET any -> [149.154.64.70] 4443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208753; rev:1;) alert tcp $HOME_NET any -> [144.76.73.3] 1443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208754; rev:1;) alert tcp $HOME_NET any -> [62.152.36.90] 1443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208755; rev:1;) alert tcp $HOME_NET any -> [5.45.124.126] 1443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208756; rev:1;) alert tcp $HOME_NET any -> [185.12.95.191] 4443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208757; rev:1;) alert tcp $HOME_NET any -> [5.45.123.115] 1443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208758; rev:1;) alert tcp $HOME_NET any -> [185.26.115.141] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208759; rev:1;) alert tcp $HOME_NET any -> [82.146.58.216] 8443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208760; rev:1;) alert tcp $HOME_NET any -> [46.36.219.32] 1443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208761; rev:1;) alert tcp $HOME_NET any -> [188.226.150.141] 1443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208762; rev:1;) alert tcp $HOME_NET any -> [185.66.70.45] 8443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208763; rev:1;) alert tcp $HOME_NET any -> [89.28.83.228] 8443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208764; rev:1;) alert tcp $HOME_NET any -> [78.24.218.186] 8443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208765; rev:1;) alert tcp $HOME_NET any -> [88.198.201.133] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208766; rev:1;) alert tcp $HOME_NET any -> [178.218.221.73] 8443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208767; rev:1;) alert tcp $HOME_NET any -> [46.28.206.57] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208768; rev:1;) alert tcp $HOME_NET any -> [31.210.123.29] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208769; rev:1;) alert tcp $HOME_NET any -> [93.170.105.42] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208770; rev:1;) alert tcp $HOME_NET any -> [93.170.105.48] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208771; rev:1;) alert tcp $HOME_NET any -> [54.69.56.82] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208772; rev:1;) alert tcp $HOME_NET any -> [62.173.145.212] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208773; rev:1;) alert tcp $HOME_NET any -> [77.40.46.226] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208774; rev:1;) alert tcp $HOME_NET any -> [37.140.199.100] 8443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208775; rev:1;) alert tcp $HOME_NET any -> [109.74.146.18] 1443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208776; rev:1;) alert tcp $HOME_NET any -> [82.146.45.128] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208777; rev:1;) alert tcp $HOME_NET any -> [212.109.219.6] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208778; rev:1;) alert tcp $HOME_NET any -> [217.160.132.80] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208779; rev:1;) alert tcp $HOME_NET any -> [62.76.179.123] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208780; rev:1;) alert tcp $HOME_NET any -> [65.181.126.188] 443 (msg:"SSLBL: Traffic to malicious host (likely Upatre C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208781; rev:1;) alert tcp $HOME_NET any -> [31.210.123.19] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208782; rev:1;) alert tcp $HOME_NET any -> [188.132.239.168] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208783; rev:1;) alert tcp $HOME_NET any -> [180.74.253.30] 9999 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208784; rev:1;) alert tcp $HOME_NET any -> [188.42.255.249] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208785; rev:1;) alert tcp $HOME_NET any -> [92.55.147.68] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208786; rev:1;) alert tcp $HOME_NET any -> [82.67.86.227] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208787; rev:1;) alert tcp $HOME_NET any -> [91.238.83.80] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208788; rev:1;) alert tcp $HOME_NET any -> [178.20.224.143] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208789; rev:1;) alert tcp $HOME_NET any -> [37.123.99.141] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208790; rev:1;) alert tcp $HOME_NET any -> [185.11.146.223] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208791; rev:1;) alert tcp $HOME_NET any -> [92.149.41.53] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208792; rev:1;) alert tcp $HOME_NET any -> [201.161.97.2] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208793; rev:1;) alert tcp $HOME_NET any -> [91.210.191.148] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208794; rev:1;) alert tcp $HOME_NET any -> [178.33.55.223] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208795; rev:1;) alert tcp $HOME_NET any -> [185.49.12.111] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208796; rev:1;) alert tcp $HOME_NET any -> [211.157.143.214] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208797; rev:1;) alert tcp $HOME_NET any -> [62.65.252.16] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208798; rev:1;) alert tcp $HOME_NET any -> [185.14.30.155] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208799; rev:1;) alert tcp $HOME_NET any -> [93.79.146.178] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208800; rev:1;) alert tcp $HOME_NET any -> [77.246.147.172] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208801; rev:1;) alert tcp $HOME_NET any -> [37.25.102.37] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208802; rev:1;) alert tcp $HOME_NET any -> [185.86.76.94] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208803; rev:1;) alert tcp $HOME_NET any -> [93.171.73.162] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208804; rev:1;) alert tcp $HOME_NET any -> [91.226.93.43] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208805; rev:1;) alert tcp $HOME_NET any -> [82.145.55.144] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208806; rev:1;) alert tcp $HOME_NET any -> [186.239.255.124] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208807; rev:1;) alert tcp $HOME_NET any -> [130.204.157.17] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208808; rev:1;) alert tcp $HOME_NET any -> [67.183.123.151] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208809; rev:1;) alert tcp $HOME_NET any -> [185.62.189.20] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208810; rev:1;) alert tcp $HOME_NET any -> [46.250.22.190] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208811; rev:1;) alert tcp $HOME_NET any -> [31.128.74.100] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208812; rev:1;) alert tcp $HOME_NET any -> [89.108.88.34] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208813; rev:1;) alert tcp $HOME_NET any -> [191.101.124.162] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208814; rev:1;) alert tcp $HOME_NET any -> [193.235.147.102] 443 (msg:"SSLBL: Traffic to malicious host (likely CryptoLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208815; rev:1;) alert tcp $HOME_NET any -> [185.25.117.55] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208816; rev:1;) alert tcp $HOME_NET any -> [104.236.5.78] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208817; rev:1;) alert tcp $HOME_NET any -> [92.222.18.232] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208818; rev:1;) alert tcp $HOME_NET any -> [91.245.76.123] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208819; rev:1;) alert tcp $HOME_NET any -> [91.207.86.210] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208820; rev:1;) alert tcp $HOME_NET any -> [88.85.89.36] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208821; rev:1;) alert tcp $HOME_NET any -> [91.229.210.17] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208822; rev:1;) alert tcp $HOME_NET any -> [188.120.249.145] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208823; rev:1;) alert tcp $HOME_NET any -> [95.143.198.50] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208824; rev:1;) alert tcp $HOME_NET any -> [95.143.198.50] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208825; rev:1;) alert tcp $HOME_NET any -> [88.150.228.98] 37818 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208826; rev:1;) alert tcp $HOME_NET any -> [62.108.40.217] 42253 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208827; rev:1;) alert tcp $HOME_NET any -> [62.108.40.206] 42613 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208828; rev:1;) alert tcp $HOME_NET any -> [85.198.189.250] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208829; rev:1;) alert tcp $HOME_NET any -> [84.19.27.189] 42613 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208830; rev:1;) alert tcp $HOME_NET any -> [80.243.190.217] 39817 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208831; rev:1;) alert tcp $HOME_NET any -> [46.28.68.142] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208832; rev:1;) alert tcp $HOME_NET any -> [188.241.112.88] 39316 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208833; rev:1;) alert tcp $HOME_NET any -> [89.32.149.92] 42613 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208834; rev:1;) alert tcp $HOME_NET any -> [177.129.134.254] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208835; rev:1;) alert tcp $HOME_NET any -> [77.81.244.65] 43894 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208836; rev:1;) alert tcp $HOME_NET any -> [82.146.52.170] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208837; rev:1;) alert tcp $HOME_NET any -> [88.159.9.134] 443 (msg:"SSLBL: Traffic to malicious host (likely URLzone C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208838; rev:1;) alert tcp $HOME_NET any -> [109.87.58.69] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208839; rev:1;) alert tcp $HOME_NET any -> [94.232.77.153] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208840; rev:1;) alert tcp $HOME_NET any -> [88.150.197.168] 42613 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208841; rev:1;) alert tcp $HOME_NET any -> [88.150.228.116] 38553 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208842; rev:1;) alert tcp $HOME_NET any -> [37.228.92.188] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208843; rev:1;) alert tcp $HOME_NET any -> [5.175.225.48] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208844; rev:1;) alert tcp $HOME_NET any -> [5.175.225.48] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208845; rev:1;) alert tcp $HOME_NET any -> [37.25.112.202] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208846; rev:1;) alert tcp $HOME_NET any -> [46.173.94.219] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208847; rev:1;) alert tcp $HOME_NET any -> [85.25.134.27] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208848; rev:1;) alert tcp $HOME_NET any -> [185.25.119.84] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208849; rev:1;) alert tcp $HOME_NET any -> [84.19.27.203] 42311 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208850; rev:1;) alert tcp $HOME_NET any -> [95.105.84.53] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208851; rev:1;) alert tcp $HOME_NET any -> [89.252.19.197] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208852; rev:1;) alert tcp $HOME_NET any -> [93.190.95.112] 38553 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208853; rev:1;) alert tcp $HOME_NET any -> [178.33.66.241] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208854; rev:1;) alert tcp $HOME_NET any -> [195.154.252.126] 40601 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208855; rev:1;) alert tcp $HOME_NET any -> [188.132.183.86] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208856; rev:1;) alert tcp $HOME_NET any -> [78.27.159.112] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208857; rev:1;) alert tcp $HOME_NET any -> [93.95.98.50] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208858; rev:1;) alert tcp $HOME_NET any -> [62.109.24.205] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208859; rev:1;) alert tcp $HOME_NET any -> [185.63.253.139] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208860; rev:1;) alert tcp $HOME_NET any -> [93.190.95.112] 35133 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208861; rev:1;) alert tcp $HOME_NET any -> [93.95.98.29] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208862; rev:1;) alert tcp $HOME_NET any -> [37.228.88.175] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208863; rev:1;) alert tcp $HOME_NET any -> [188.127.249.145] 54794 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208864; rev:1;) alert tcp $HOME_NET any -> [185.50.68.150] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208865; rev:1;) alert tcp $HOME_NET any -> [37.1.200.35] 3443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208866; rev:1;) alert tcp $HOME_NET any -> [46.161.30.46] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208867; rev:1;) alert tcp $HOME_NET any -> [176.99.6.57] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208868; rev:1;) alert tcp $HOME_NET any -> [189.2.90.233] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208869; rev:1;) alert tcp $HOME_NET any -> [37.228.91.176] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208870; rev:1;) alert tcp $HOME_NET any -> [89.32.149.60] 65398 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208871; rev:1;) alert tcp $HOME_NET any -> [46.161.30.43] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208872; rev:1;) alert tcp $HOME_NET any -> [31.148.220.186] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208873; rev:1;) alert tcp $HOME_NET any -> [46.161.30.42] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208874; rev:1;) alert tcp $HOME_NET any -> [49.50.251.48] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208875; rev:1;) alert tcp $HOME_NET any -> [93.170.130.78] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208876; rev:1;) alert tcp $HOME_NET any -> [46.161.30.41] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208877; rev:1;) alert tcp $HOME_NET any -> [207.12.89.221] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208878; rev:1;) alert tcp $HOME_NET any -> [46.161.30.40] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208879; rev:1;) alert tcp $HOME_NET any -> [93.190.95.246] 48383 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208880; rev:1;) alert tcp $HOME_NET any -> [46.161.30.27] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208881; rev:1;) alert tcp $HOME_NET any -> [192.225.175.94] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208882; rev:1;) alert tcp $HOME_NET any -> [46.161.30.26] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208883; rev:1;) alert tcp $HOME_NET any -> [46.161.30.24] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208884; rev:1;) alert tcp $HOME_NET any -> [93.190.95.243] 38143 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208885; rev:1;) alert tcp $HOME_NET any -> [37.59.68.9] 8586 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208886; rev:1;) alert tcp $HOME_NET any -> [46.161.30.23] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208887; rev:1;) alert tcp $HOME_NET any -> [46.161.30.22] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208888; rev:1;) alert tcp $HOME_NET any -> [185.61.149.134] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208889; rev:1;) alert tcp $HOME_NET any -> [5.231.67.242] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208890; rev:1;) alert tcp $HOME_NET any -> [62.141.34.225] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208891; rev:1;) alert tcp $HOME_NET any -> [62.76.185.72] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208892; rev:1;) alert tcp $HOME_NET any -> [46.109.187.46] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208893; rev:1;) alert tcp $HOME_NET any -> [5.39.15.162] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208894; rev:1;) alert tcp $HOME_NET any -> [46.161.30.21] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208895; rev:1;) alert tcp $HOME_NET any -> [77.81.244.170] 65529 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208896; rev:1;) alert tcp $HOME_NET any -> [212.175.66.70] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208897; rev:1;) alert tcp $HOME_NET any -> [77.246.146.35] 27564 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208898; rev:1;) alert tcp $HOME_NET any -> [193.124.94.207] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208899; rev:1;) alert tcp $HOME_NET any -> [46.151.53.81] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208900; rev:1;) alert tcp $HOME_NET any -> [46.161.30.19] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208901; rev:1;) alert tcp $HOME_NET any -> [149.154.70.18] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208902; rev:1;) alert tcp $HOME_NET any -> [5.135.111.156] 58943 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208903; rev:1;) alert tcp $HOME_NET any -> [193.124.46.93] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208904; rev:1;) alert tcp $HOME_NET any -> [41.185.78.17] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208905; rev:1;) alert tcp $HOME_NET any -> [93.190.95.243] 38043 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208906; rev:1;) alert tcp $HOME_NET any -> [141.255.167.120] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208907; rev:1;) alert tcp $HOME_NET any -> [185.5.52.135] 443 (msg:"SSLBL: Traffic to malicious host (likely Upatre C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208908; rev:1;) alert tcp $HOME_NET any -> [91.213.233.198] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208909; rev:1;) alert tcp $HOME_NET any -> [188.165.227.37] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208910; rev:1;) alert tcp $HOME_NET any -> [46.105.98.111] 4443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208911; rev:1;) alert tcp $HOME_NET any -> [184.95.63.226] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208912; rev:1;) alert tcp $HOME_NET any -> [46.105.98.111] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208913; rev:1;) alert tcp $HOME_NET any -> [188.165.16.13] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208914; rev:1;) alert tcp $HOME_NET any -> [94.23.252.40] 4443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208915; rev:1;) alert tcp $HOME_NET any -> [46.105.122.128] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208916; rev:1;) alert tcp $HOME_NET any -> [188.165.251.144] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208917; rev:1;) alert tcp $HOME_NET any -> [159.253.19.103] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208918; rev:1;) alert tcp $HOME_NET any -> [185.22.232.138] 443 (msg:"SSLBL: Traffic to malicious host (likely Teslacrypt C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208919; rev:1;) alert tcp $HOME_NET any -> [185.22.232.138] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208920; rev:1;) alert tcp $HOME_NET any -> [109.120.181.170] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208921; rev:1;) alert tcp $HOME_NET any -> [37.59.46.50] 4443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208922; rev:1;) alert tcp $HOME_NET any -> [188.165.227.37] 4443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208923; rev:1;) alert tcp $HOME_NET any -> [95.211.223.206] 38193 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208924; rev:1;) alert tcp $HOME_NET any -> [213.239.196.143] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208925; rev:1;) alert tcp $HOME_NET any -> [75.127.2.101] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208926; rev:1;) alert tcp $HOME_NET any -> [176.99.121.195] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208927; rev:1;) alert tcp $HOME_NET any -> [199.204.45.197] 8586 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208928; rev:1;) alert tcp $HOME_NET any -> [46.161.30.16] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208929; rev:1;) alert tcp $HOME_NET any -> [5.9.106.163] 443 (msg:"SSLBL: Traffic to malicious host (likely Teslacrypt C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208930; rev:1;) alert tcp $HOME_NET any -> [198.58.95.49] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208931; rev:1;) alert tcp $HOME_NET any -> [93.190.95.246] 44373 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208932; rev:1;) alert tcp $HOME_NET any -> [37.228.91.172] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208933; rev:1;) alert tcp $HOME_NET any -> [109.236.86.221] 55999 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208934; rev:1;) alert tcp $HOME_NET any -> [94.23.35.188] 4443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208935; rev:1;) alert tcp $HOME_NET any -> [64.251.31.170] 4443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208936; rev:1;) alert tcp $HOME_NET any -> [37.59.46.50] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208937; rev:1;) alert tcp $HOME_NET any -> [188.165.251.144] 4443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208938; rev:1;) alert tcp $HOME_NET any -> [77.221.145.89] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208939; rev:1;) alert tcp $HOME_NET any -> [77.221.145.85] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208940; rev:1;) alert tcp $HOME_NET any -> [188.120.253.63] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208941; rev:1;) alert tcp $HOME_NET any -> [94.23.35.188] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208942; rev:1;) alert tcp $HOME_NET any -> [185.15.208.228] 37189 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208943; rev:1;) alert tcp $HOME_NET any -> [46.30.42.22] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208944; rev:1;) alert tcp $HOME_NET any -> [188.165.222.11] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208945; rev:1;) alert tcp $HOME_NET any -> [95.163.121.209] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208946; rev:1;) alert tcp $HOME_NET any -> [31.31.203.149] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208947; rev:1;) alert tcp $HOME_NET any -> [108.61.51.166] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208948; rev:1;) alert tcp $HOME_NET any -> [37.59.2.139] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208949; rev:1;) alert tcp $HOME_NET any -> [92.63.100.216] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208950; rev:1;) alert tcp $HOME_NET any -> [108.61.49.30] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208951; rev:1;) alert tcp $HOME_NET any -> [194.58.103.150] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208952; rev:1;) alert tcp $HOME_NET any -> [198.27.110.173] 4881 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208953; rev:1;) alert tcp $HOME_NET any -> [194.58.103.231] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208954; rev:1;) alert tcp $HOME_NET any -> [37.228.91.171] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208955; rev:1;) alert tcp $HOME_NET any -> [62.210.172.134] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208956; rev:1;) alert tcp $HOME_NET any -> [151.248.114.96] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208957; rev:1;) alert tcp $HOME_NET any -> [162.220.8.120] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208958; rev:1;) alert tcp $HOME_NET any -> [185.20.224.42] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208959; rev:1;) alert tcp $HOME_NET any -> [217.12.199.52] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208960; rev:1;) alert tcp $HOME_NET any -> [194.58.108.118] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208961; rev:1;) alert tcp $HOME_NET any -> [194.58.47.23] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208962; rev:1;) alert tcp $HOME_NET any -> [178.124.140.143] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208963; rev:1;) alert tcp $HOME_NET any -> [77.221.145.66] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208964; rev:1;) alert tcp $HOME_NET any -> [80.69.77.228] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208965; rev:1;) alert tcp $HOME_NET any -> [194.58.103.168] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208966; rev:1;) alert tcp $HOME_NET any -> [109.120.164.205] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208967; rev:1;) alert tcp $HOME_NET any -> [194.58.103.136] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208968; rev:1;) alert tcp $HOME_NET any -> [72.232.41.213] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208969; rev:1;) alert tcp $HOME_NET any -> [94.23.236.54] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208970; rev:1;) alert tcp $HOME_NET any -> [109.236.86.220] 37707 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208971; rev:1;) alert tcp $HOME_NET any -> [62.109.16.244] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208972; rev:1;) alert tcp $HOME_NET any -> [77.40.119.145] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208973; rev:1;) alert tcp $HOME_NET any -> [149.210.140.212] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208974; rev:1;) alert tcp $HOME_NET any -> [188.165.204.210] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208975; rev:1;) alert tcp $HOME_NET any -> [109.120.173.94] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208976; rev:1;) alert tcp $HOME_NET any -> [91.218.230.8] 29200 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208977; rev:1;) alert tcp $HOME_NET any -> [109.120.182.188] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208978; rev:1;) alert tcp $HOME_NET any -> [109.120.177.111] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208979; rev:1;) alert tcp $HOME_NET any -> [188.227.179.83] 41573 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208980; rev:1;) alert tcp $HOME_NET any -> [195.248.235.219] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208981; rev:1;) alert tcp $HOME_NET any -> [176.9.177.244] 1890 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208982; rev:1;) alert tcp $HOME_NET any -> [77.245.66.76] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208983; rev:1;) alert tcp $HOME_NET any -> [109.120.165.20] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208984; rev:1;) alert tcp $HOME_NET any -> [109.236.86.220] 65499 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208985; rev:1;) alert tcp $HOME_NET any -> [146.185.248.22] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208986; rev:1;) alert tcp $HOME_NET any -> [151.248.118.197] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208987; rev:1;) alert tcp $HOME_NET any -> [193.124.44.166] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208988; rev:1;) alert tcp $HOME_NET any -> [133.242.50.107] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208989; rev:1;) alert tcp $HOME_NET any -> [178.88.115.218] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208990; rev:1;) alert tcp $HOME_NET any -> [109.163.233.151] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208991; rev:1;) alert tcp $HOME_NET any -> [109.163.233.150] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208992; rev:1;) alert tcp $HOME_NET any -> [94.102.53.173] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak MITM traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208993; rev:1;) alert tcp $HOME_NET any -> [89.253.228.181] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak MITM traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208994; rev:1;) alert tcp $HOME_NET any -> [193.124.44.164] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208995; rev:1;) alert tcp $HOME_NET any -> [194.28.174.121] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208996; rev:1;) alert tcp $HOME_NET any -> [194.58.101.195] 443 (msg:"SSLBL: Traffic to malicious host (likely CryptoWall C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208997; rev:1;) alert tcp $HOME_NET any -> [31.220.17.68] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS MITM traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208998; rev:1;) alert tcp $HOME_NET any -> [185.10.57.158] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905208999; rev:1;) alert tcp $HOME_NET any -> [185.14.30.197] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209000; rev:1;) alert tcp $HOME_NET any -> [92.222.153.157] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209001; rev:1;) alert tcp $HOME_NET any -> [194.58.101.203] 443 (msg:"SSLBL: Traffic to malicious host (likely CryptoWall C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209002; rev:1;) alert tcp $HOME_NET any -> [109.120.180.143] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209003; rev:1;) alert tcp $HOME_NET any -> [194.58.101.206] 443 (msg:"SSLBL: Traffic to malicious host (likely CryptoWall C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209004; rev:1;) alert tcp $HOME_NET any -> [109.87.62.190] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209005; rev:1;) alert tcp $HOME_NET any -> [151.248.126.202] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209006; rev:1;) alert tcp $HOME_NET any -> [37.59.53.29] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209007; rev:1;) alert tcp $HOME_NET any -> [162.251.69.133] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209008; rev:1;) alert tcp $HOME_NET any -> [193.124.16.10] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209009; rev:1;) alert tcp $HOME_NET any -> [193.169.86.174] 21793 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209010; rev:1;) alert tcp $HOME_NET any -> [87.118.74.134] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak MITM traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209011; rev:1;) alert tcp $HOME_NET any -> [89.253.225.54] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak MITM traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209012; rev:1;) alert tcp $HOME_NET any -> [185.45.192.251] 49010 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209013; rev:1;) alert tcp $HOME_NET any -> [192.210.208.72] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209014; rev:1;) alert tcp $HOME_NET any -> [94.242.199.101] 61111 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209015; rev:1;) alert tcp $HOME_NET any -> [107.181.174.84] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209016; rev:1;) alert tcp $HOME_NET any -> [194.58.96.50] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209017; rev:1;) alert tcp $HOME_NET any -> [213.183.58.187] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209018; rev:1;) alert tcp $HOME_NET any -> [5.34.183.222] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209019; rev:1;) alert tcp $HOME_NET any -> [31.31.192.32] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209020; rev:1;) alert tcp $HOME_NET any -> [37.140.195.147] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209021; rev:1;) alert tcp $HOME_NET any -> [193.124.44.165] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209022; rev:1;) alert tcp $HOME_NET any -> [176.53.19.132] 443 (msg:"SSLBL: Traffic to malicious host (likely URLzone C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209023; rev:1;) alert tcp $HOME_NET any -> [91.207.6.22] 40601 (msg:"SSLBL: Traffic to malicious host (likely Spambot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209024; rev:1;) alert tcp $HOME_NET any -> [185.14.30.198] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209025; rev:1;) alert tcp $HOME_NET any -> [162.211.121.133] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209026; rev:1;) alert tcp $HOME_NET any -> [83.172.8.195] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS MITM traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209027; rev:1;) alert tcp $HOME_NET any -> [109.120.183.135] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209028; rev:1;) alert tcp $HOME_NET any -> [166.78.18.204] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209029; rev:1;) alert tcp $HOME_NET any -> [109.236.86.187] 57016 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209030; rev:1;) alert tcp $HOME_NET any -> [208.76.52.36] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209031; rev:1;) alert tcp $HOME_NET any -> [93.171.172.240] 52009 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209032; rev:1;) alert tcp $HOME_NET any -> [177.234.8.186] 443 (msg:"SSLBL: Traffic to malicious host (likely URLzone C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209033; rev:1;) alert tcp $HOME_NET any -> [108.61.51.174] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209034; rev:1;) alert tcp $HOME_NET any -> [66.113.74.132] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209035; rev:1;) alert tcp $HOME_NET any -> [23.94.97.56] 443 (msg:"SSLBL: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209036; rev:1;) alert tcp $HOME_NET any -> [31.41.218.225] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209037; rev:1;) alert tcp $HOME_NET any -> [5.39.222.155] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209038; rev:1;) alert tcp $HOME_NET any -> [82.146.35.231] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209039; rev:1;) alert tcp $HOME_NET any -> [195.64.154.120] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209040; rev:1;) alert tcp $HOME_NET any -> [109.120.177.252] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209041; rev:1;) alert tcp $HOME_NET any -> [194.58.102.134] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak MITM traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209042; rev:1;) alert tcp $HOME_NET any -> [151.248.125.180] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209043; rev:1;) alert tcp $HOME_NET any -> [93.170.104.137] 443 (msg:"SSLBL: Traffic to malicious host (likely Retefe C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209044; rev:1;) alert tcp $HOME_NET any -> [188.138.177.32] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209045; rev:1;) alert tcp $HOME_NET any -> [62.109.17.235] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209046; rev:1;) alert tcp $HOME_NET any -> [82.146.36.5] 11039 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209047; rev:1;) alert tcp $HOME_NET any -> [109.120.173.251] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209048; rev:1;) alert tcp $HOME_NET any -> [37.59.61.123] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209049; rev:1;) alert tcp $HOME_NET any -> [109.120.182.105] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209050; rev:1;) alert tcp $HOME_NET any -> [146.0.72.181] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209051; rev:1;) alert tcp $HOME_NET any -> [23.239.133.106] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209052; rev:1;) alert tcp $HOME_NET any -> [23.95.15.127] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209053; rev:1;) alert tcp $HOME_NET any -> [188.241.116.231] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209054; rev:1;) alert tcp $HOME_NET any -> [192.210.215.6] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209055; rev:1;) alert tcp $HOME_NET any -> [31.41.218.241] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209056; rev:1;) alert tcp $HOME_NET any -> [185.25.116.251] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209057; rev:1;) alert tcp $HOME_NET any -> [188.120.236.163] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak MITM traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209058; rev:1;) alert tcp $HOME_NET any -> [87.236.211.133] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak MITM traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209059; rev:1;) alert tcp $HOME_NET any -> [91.231.85.174] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak MITM traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209060; rev:1;) alert tcp $HOME_NET any -> [68.71.45.133] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak MITM traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209061; rev:1;) alert tcp $HOME_NET any -> [178.63.238.190] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209062; rev:1;) alert tcp $HOME_NET any -> [185.14.28.158] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209063; rev:1;) alert tcp $HOME_NET any -> [166.78.144.80] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209064; rev:1;) alert tcp $HOME_NET any -> [166.63.124.226] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209065; rev:1;) alert tcp $HOME_NET any -> [140.117.170.107] 443 (msg:"SSLBL: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209066; rev:1;) alert tcp $HOME_NET any -> [31.41.218.240] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209067; rev:1;) alert tcp $HOME_NET any -> [77.40.80.253] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209068; rev:1;) alert tcp $HOME_NET any -> [89.144.14.36] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak MITM traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209069; rev:1;) alert tcp $HOME_NET any -> [204.95.99.205] 443 (msg:"SSLBL: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209070; rev:1;) alert tcp $HOME_NET any -> [192.95.51.166] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209071; rev:1;) alert tcp $HOME_NET any -> [31.192.105.57] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209072; rev:1;) alert tcp $HOME_NET any -> [109.120.180.53] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209073; rev:1;) alert tcp $HOME_NET any -> [149.154.65.73] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209074; rev:1;) alert tcp $HOME_NET any -> [109.120.150.201] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209075; rev:1;) alert tcp $HOME_NET any -> [109.120.150.127] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209076; rev:1;) alert tcp $HOME_NET any -> [204.95.99.204] 443 (msg:"SSLBL: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209077; rev:1;) alert tcp $HOME_NET any -> [162.220.167.4] 443 (msg:"SSLBL: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209078; rev:1;) alert tcp $HOME_NET any -> [82.165.129.253] 1863 (msg:"SSLBL: Traffic to malicious host (likely Worm.Dorkbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209079; rev:1;) alert tcp $HOME_NET any -> [62.76.178.171] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209080; rev:1;) alert tcp $HOME_NET any -> [5.34.183.165] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209081; rev:1;) alert tcp $HOME_NET any -> [109.200.11.67] 443 (msg:"SSLBL: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209082; rev:1;) alert tcp $HOME_NET any -> [141.5.102.15] 443 (msg:"SSLBL: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209083; rev:1;) alert tcp $HOME_NET any -> [23.254.203.175] 443 (msg:"SSLBL: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209084; rev:1;) alert tcp $HOME_NET any -> [62.109.24.253] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak MITM traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209085; rev:1;) alert tcp $HOME_NET any -> [66.23.230.75] 443 (msg:"SSLBL: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209086; rev:1;) alert tcp $HOME_NET any -> [87.121.52.82] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209087; rev:1;) alert tcp $HOME_NET any -> [188.241.141.137] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209088; rev:1;) alert tcp $HOME_NET any -> [178.20.225.105] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209089; rev:1;) alert tcp $HOME_NET any -> [54.88.82.254] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209090; rev:1;) alert tcp $HOME_NET any -> [109.120.190.5] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209091; rev:1;) alert tcp $HOME_NET any -> [109.120.180.46] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209092; rev:1;) alert tcp $HOME_NET any -> [109.120.180.45] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209093; rev:1;) alert tcp $HOME_NET any -> [108.61.198.109] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209094; rev:1;) alert tcp $HOME_NET any -> [46.28.68.166] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209095; rev:1;) alert tcp $HOME_NET any -> [193.124.16.136] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209096; rev:1;) alert tcp $HOME_NET any -> [141.105.69.206] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209097; rev:1;) alert tcp $HOME_NET any -> [198.50.171.35] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak MITM traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209098; rev:1;) alert tcp $HOME_NET any -> [146.185.248.23] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209099; rev:1;) alert tcp $HOME_NET any -> [80.240.133.36] 443 (msg:"SSLBL: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209100; rev:1;) alert tcp $HOME_NET any -> [23.89.188.42] 443 (msg:"SSLBL: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209101; rev:1;) alert tcp $HOME_NET any -> [93.188.165.176] 443 (msg:"SSLBL: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209102; rev:1;) alert tcp $HOME_NET any -> [178.159.246.12] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak MITM traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209103; rev:1;) alert tcp $HOME_NET any -> [188.190.117.67] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak MITM traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209104; rev:1;) alert tcp $HOME_NET any -> [195.62.25.239] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak MITM traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209105; rev:1;) alert tcp $HOME_NET any -> [195.62.25.239] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209106; rev:1;) alert tcp $HOME_NET any -> [37.228.92.146] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209107; rev:1;) alert tcp $HOME_NET any -> [85.25.99.51] 443 (msg:"SSLBL: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209108; rev:1;) alert tcp $HOME_NET any -> [222.110.205.22] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209109; rev:1;) alert tcp $HOME_NET any -> [213.175.184.150] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209110; rev:1;) alert tcp $HOME_NET any -> [144.76.249.110] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209111; rev:1;) alert tcp $HOME_NET any -> [181.41.199.51] 443 (msg:"SSLBL: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209112; rev:1;) alert tcp $HOME_NET any -> [162.247.154.118] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209113; rev:1;) alert tcp $HOME_NET any -> [162.247.154.117] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209114; rev:1;) alert tcp $HOME_NET any -> [191.101.1.94] 443 (msg:"SSLBL: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209115; rev:1;) alert tcp $HOME_NET any -> [37.26.93.222] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209116; rev:1;) alert tcp $HOME_NET any -> [62.109.24.233] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209117; rev:1;) alert tcp $HOME_NET any -> [78.135.97.139] 443 (msg:"SSLBL: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209118; rev:1;) alert tcp $HOME_NET any -> [176.122.227.28] 443 (msg:"SSLBL: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209119; rev:1;) alert tcp $HOME_NET any -> [79.136.65.12] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209120; rev:1;) alert tcp $HOME_NET any -> [166.78.174.37] 443 (msg:"SSLBL: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209121; rev:1;) alert tcp $HOME_NET any -> [109.237.109.246] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209122; rev:1;) alert tcp $HOME_NET any -> [5.63.152.177] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209123; rev:1;) alert tcp $HOME_NET any -> [109.120.161.77] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209124; rev:1;) alert tcp $HOME_NET any -> [109.120.161.78] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209125; rev:1;) alert tcp $HOME_NET any -> [109.120.165.240] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209126; rev:1;) alert tcp $HOME_NET any -> [192.198.82.3] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209127; rev:1;) alert tcp $HOME_NET any -> [62.76.41.55] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209128; rev:1;) alert tcp $HOME_NET any -> [103.11.143.177] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209129; rev:1;) alert tcp $HOME_NET any -> [148.251.72.75] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209130; rev:1;) alert tcp $HOME_NET any -> [54.83.35.44] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209131; rev:1;) alert tcp $HOME_NET any -> [191.101.5.26] 443 (msg:"SSLBL: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209132; rev:1;) alert tcp $HOME_NET any -> [185.14.28.135] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209133; rev:1;) alert tcp $HOME_NET any -> [54.81.100.98] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209134; rev:1;) alert tcp $HOME_NET any -> [194.58.97.32] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209135; rev:1;) alert tcp $HOME_NET any -> [94.156.77.26] 443 (msg:"SSLBL: Traffic to malicious host (likely CryptoWall C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209136; rev:1;) alert tcp $HOME_NET any -> [109.104.183.141] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209137; rev:1;) alert tcp $HOME_NET any -> [109.236.86.213] 62201 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209138; rev:1;) alert tcp $HOME_NET any -> [37.139.47.218] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209139; rev:1;) alert tcp $HOME_NET any -> [37.200.65.119] 443 (msg:"SSLBL: Traffic to malicious host (likely CryptoWall C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209140; rev:1;) alert tcp $HOME_NET any -> [62.76.185.30] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209141; rev:1;) alert tcp $HOME_NET any -> [62.210.195.223] 80 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209142; rev:1;) alert tcp $HOME_NET any -> [91.237.198.61] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209143; rev:1;) alert tcp $HOME_NET any -> [208.77.23.16] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209144; rev:1;) alert tcp $HOME_NET any -> [107.181.161.145] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209145; rev:1;) alert tcp $HOME_NET any -> [209.237.238.211] 443 (msg:"SSLBL: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209146; rev:1;) alert tcp $HOME_NET any -> [137.135.208.245] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209147; rev:1;) alert tcp $HOME_NET any -> [95.181.179.240] 32131 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209148; rev:1;) alert tcp $HOME_NET any -> [64.120.193.138] 443 (msg:"SSLBL: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209149; rev:1;) alert tcp $HOME_NET any -> [192.161.182.214] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209150; rev:1;) alert tcp $HOME_NET any -> [109.120.161.224] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209151; rev:1;) alert tcp $HOME_NET any -> [185.36.253.136] 443 (msg:"SSLBL: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209152; rev:1;) alert tcp $HOME_NET any -> [185.26.146.36] 443 (msg:"SSLBL: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209153; rev:1;) alert tcp $HOME_NET any -> [178.18.142.15] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209154; rev:1;) alert tcp $HOME_NET any -> [194.58.100.232] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209155; rev:1;) alert tcp $HOME_NET any -> [89.39.83.153] 443 (msg:"SSLBL: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209156; rev:1;) alert tcp $HOME_NET any -> [85.10.228.68] 59131 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209157; rev:1;) alert tcp $HOME_NET any -> [192.161.182.178] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209158; rev:1;) alert tcp $HOME_NET any -> [54.197.49.202] 443 (msg:"SSLBL: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209159; rev:1;) alert tcp $HOME_NET any -> [37.59.47.74] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209160; rev:1;) alert tcp $HOME_NET any -> [162.218.233.81] 443 (msg:"SSLBL: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209161; rev:1;) alert tcp $HOME_NET any -> [94.100.95.109] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209162; rev:1;) alert tcp $HOME_NET any -> [216.3.111.60] 443 (msg:"SSLBL: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209163; rev:1;) alert tcp $HOME_NET any -> [87.224.225.224] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209164; rev:1;) alert tcp $HOME_NET any -> [217.174.100.237] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209165; rev:1;) alert tcp $HOME_NET any -> [95.215.46.150] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209166; rev:1;) alert tcp $HOME_NET any -> [199.167.42.183] 443 (msg:"SSLBL: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209167; rev:1;) alert tcp $HOME_NET any -> [216.58.117.114] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209168; rev:1;) alert tcp $HOME_NET any -> [91.210.189.118] 443 (msg:"SSLBL: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209169; rev:1;) alert tcp $HOME_NET any -> [162.243.150.28] 443 (msg:"SSLBL: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209170; rev:1;) alert tcp $HOME_NET any -> [5.39.222.190] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209171; rev:1;) alert tcp $HOME_NET any -> [78.47.215.59] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209172; rev:1;) alert tcp $HOME_NET any -> [188.241.112.184] 41513 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209173; rev:1;) alert tcp $HOME_NET any -> [31.220.7.117] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209174; rev:1;) alert tcp $HOME_NET any -> [85.25.153.9] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209175; rev:1;) alert tcp $HOME_NET any -> [186.234.246.10] 443 (msg:"SSLBL: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209176; rev:1;) alert tcp $HOME_NET any -> [109.120.161.59] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209177; rev:1;) alert tcp $HOME_NET any -> [109.120.161.56] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209178; rev:1;) alert tcp $HOME_NET any -> [178.20.229.39] 443 (msg:"SSLBL: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209179; rev:1;) alert tcp $HOME_NET any -> [189.127.48.11] 443 (msg:"SSLBL: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209180; rev:1;) alert tcp $HOME_NET any -> [108.163.168.203] 443 (msg:"SSLBL: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209181; rev:1;) alert tcp $HOME_NET any -> [198.61.231.19] 443 (msg:"SSLBL: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209182; rev:1;) alert tcp $HOME_NET any -> [185.14.28.188] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209183; rev:1;) alert tcp $HOME_NET any -> [188.241.116.45] 44913 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209184; rev:1;) alert tcp $HOME_NET any -> [54.198.19.105] 443 (msg:"SSLBL: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209185; rev:1;) alert tcp $HOME_NET any -> [192.210.16.230] 443 (msg:"SSLBL: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209186; rev:1;) alert tcp $HOME_NET any -> [194.47.151.100] 443 (msg:"SSLBL: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209187; rev:1;) alert tcp $HOME_NET any -> [37.123.99.15] 443 (msg:"SSLBL: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209188; rev:1;) alert tcp $HOME_NET any -> [37.123.102.15] 443 (msg:"SSLBL: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209189; rev:1;) alert tcp $HOME_NET any -> [162.213.24.51] 443 (msg:"SSLBL: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209190; rev:1;) alert tcp $HOME_NET any -> [91.217.85.16] 443 (msg:"SSLBL: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209191; rev:1;) alert tcp $HOME_NET any -> [5.39.222.254] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209192; rev:1;) alert tcp $HOME_NET any -> [5.39.222.132] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209193; rev:1;) alert tcp $HOME_NET any -> [162.243.131.29] 443 (msg:"SSLBL: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209194; rev:1;) alert tcp $HOME_NET any -> [95.181.178.177] 443 (msg:"SSLBL: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209195; rev:1;) alert tcp $HOME_NET any -> [89.209.77.82] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209196; rev:1;) alert tcp $HOME_NET any -> [62.76.190.11] 8085 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209197; rev:1;) alert tcp $HOME_NET any -> [78.110.173.136] 443 (msg:"SSLBL: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905209198; rev:1;) # END (9199) entries