http://116.202.6.47/
http://uaery.top/dl/build2.exe - rule_id: 23456
http://116.202.6.47/photos.zip
http://zexeq.com/test2/get.php?pid=06280D9CD13939E9B7E95CDCAA6A83CC&first=true
https://steamcommunity.com/profiles/76561199471222742
https://t.me/nemesisgrow

t.me(149.154.167.99) - mailcious
uaery.top(210.182.29.70) - malware
api.2ip.ua(162.0.217.254)
steamcommunity.com(104.76.78.101) - mailcious
zexeq.com(37.34.248.24) - malware
149.154.167.99 - mailcious
211.119.84.112 - malware
211.59.14.90 - malware
162.0.217.254
116.202.6.47
104.76.78.101 - mailcious

ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET DNS Query to a *.top domain - Likely Hostile
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET INFO TLS Handshake Failure
ET INFO Dotted Quad Host ZIP Request
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET MALWARE Win32/Vodkagats Loader Requesting Payload
ET INFO HTTP Request to a *.top domain
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING Possible EXE Download From Suspicious TLD
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download

http://uaery.top/dl/build2.exe

http://checkip.dyndns.org/
http://107.172.4.169/09/Datiycvj.bmp

checkip.dyndns.org(193.122.6.168)
132.226.8.169
107.172.4.169 - malware

ET HUNTING Suspicious Terse Request for .bmp
ET INFO DYNAMIC_DNS Query to a *.dyndns .org Domain
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET MALWARE 404/Snake/Matiex Keylogger Style External IP Check
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns .org Domain

http://checkip.dyndns.org/
http://107.172.4.169/09/Iksgu.bmp

checkip.dyndns.org(193.122.6.168)
193.122.130.0
107.172.4.169 - malware

ET HUNTING Suspicious Terse Request for .bmp
ET INFO DYNAMIC_DNS Query to a *.dyndns .org Domain
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET MALWARE 404/Snake/Matiex Keylogger Style External IP Check
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns .org Domain

mnxrxyulbk05pdg.docywg7eumhcj4sgz()

http://geoplugin.net/json.gp
http://194.180.48.211/zara/Dedepseud52.toc
http://194.180.48.211/zara/BWTqkhVBTwqHOjTU152.psm

geoplugin.net(178.237.33.50)
178.237.33.50
185.225.74.90
194.180.48.211 - mailcious

ET JA3 Hash - Remcos 3.x TLS Connection