http://91.207.183.9:8000/main.exe

http://91.207.183.9:8000/main.exe

http://91.207.183.9:8000/main.bat - rule_id: 37338
http://91.207.183.9:8000/artwork.hta - rule_id: 37341

www2.lunapic.com(72.9.146.243)
91.207.183.9 - mailcious
72.9.146.243

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible HTA Application Download
ET INFO Dotted Quad Host HTA Request
ET HUNTING PowerShell Hidden Window Command Common In Powershell Stagers M1

http://91.207.183.9:8000/main.bat
http://91.207.183.9:8000/artwork.hta

http://223.26.52.96:8000/1

223.26.52.96 - malware

ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
SURICATA HTTP Request abnormal Content-Encoding header
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE OneLouder EXE download possibly installing Zeus P2P
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET MALWARE Likely Evil EXE download from MSXMLHTTP non-exe extension M2
ET MALWARE JS/WSF Downloader Dec 08 2016 M6
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP

http://91.207.183.9:8000/main.bat
http://91.207.183.9:8000/main.exe

www2.lunapic.com(72.9.146.243)
91.207.183.9 - mailcious
72.9.146.243

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING PowerShell Hidden Window Command Common In Powershell Stagers M1

http://www.zeropointenergyhvac.com/t6tg/?jDKP8=vAEcViLLfRnXrvGHJGOy3S0oM5KgJr+WLGiVWET49+NKpGPyCcxnbWSVNLBpcRBJoM/m8+js&8p0=IbtHbJ
http://www.domumix.com/t6tg/?jDKP8=NCr4hxvH2ezd5PnFQvFe4UNVT4u8oc6t8Rf/c3KW26/rudMQ46jCsaNfWBhm2pOWUClrv1g3&8p0=IbtHbJ
http://www.ssongg13026.cfd/t6tg/?jDKP8=Nmqux/666XlLtJ3WEKzUk3EHj+ftlkJxJixPq7eQ/k8b2WLLehoT1axEI2nKmBLwOwlBSnRz&8p0=IbtHbJ
http://www.tugerdi.site/t6tg/?jDKP8=Za8NgA951HtgEMA/N1pbqY3Eng45w2byd25/9jAsmGZLSXWq5l9klRymntmNRw3MeMdtayU2&8p0=IbtHbJ

www.domumix.com(23.227.38.74)
www.ssongg13026.cfd(101.32.68.183)
www.zeropointenergyhvac.com(15.197.148.33)
www.tugerdi.site(93.89.226.17)
101.32.68.183 - mailcious
15.197.148.33
93.89.226.17 - mailcious
23.227.38.74 - mailcious

ET MALWARE FormBook CnC Checkin (GET)

api.ipify.org(173.231.16.77)
173.231.16.77

ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)