http://116.202.6.47/
http://uaery.top/dl/build2.exe - rule_id: 23456
http://116.202.6.47/photos.zip
http://zexeq.com/test2/get.php?pid=06280D9CD13939E9B7E95CDCAA6A83CC&first=true
https://steamcommunity.com/profiles/76561199471222742
https://t.me/nemesisgrow

t.me(149.154.167.99) - mailcious
uaery.top(210.182.29.70) - malware
api.2ip.ua(162.0.217.254)
steamcommunity.com(104.76.78.101) - mailcious
zexeq.com(37.34.248.24) - malware
149.154.167.99 - mailcious
211.119.84.112 - malware
211.59.14.90 - malware
162.0.217.254
116.202.6.47
104.76.78.101 - mailcious

ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET DNS Query to a *.top domain - Likely Hostile
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET INFO TLS Handshake Failure
ET INFO Dotted Quad Host ZIP Request
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET MALWARE Win32/Vodkagats Loader Requesting Payload
ET INFO HTTP Request to a *.top domain
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING Possible EXE Download From Suspicious TLD
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download

http://uaery.top/dl/build2.exe