172.217.25.14 - suspicious

http://magicview.ga/webxpo/gate.php - mailcious
http://duracom.ga/SD3/win32.exe - malware

magicview.ga(46.173.214.75) - mailcious
duracom.ga(46.173.214.75) - malware
46.173.214.75 - suspicious

ET INFO DNS Query for Suspicious .ga Domain
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE Possible Malicious Macro DL EXE Feb 2016
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE Possible Malicious Macro EXE DL AlphaNumL
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET POLICY PE EXE or DLL Windows file download HTTP

http://ps.popcash.net/go/275368/567202 - mailcious
http://ps.popcash.net/ad/ad?p=275368&w=567202&t=6e236c90efedc53e&r=&vw=0&vh=0 - mailcious
https://simplegrg.shop/favicon.ico
https://simplegrg.shop/home/base64.min.js
https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.0.0/aes.min.js
https://simplegrg.shop/home/image.php
https://shachibato-anime.shop/
https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.0.0/crypto-js.min.js
https://cdnjs.cloudflare.com/ajax/libs/zepto/1.2.0/zepto.min.js
https://simplegrg.shop/home/?key=8BCE03840BE4E829
https://simplegrg.shop/home?key=8BCE03840BE4E829

ps.popcash.net(52.201.162.15) - mailcious
cdnjs.cloudflare.com(104.16.19.94) - mailcious
simplegrg.shop(185.178.208.137)
shachibato-anime.shop(185.178.208.164)
185.178.208.164 - suspicious
104.16.18.94
52.203.234.71
185.178.208.137
117.18.232.200 - suspicious

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex

https://456345746g546646.gb.net//inc/040b73a6c5b6ac.php

456345746g546646.gb.net()
103.153.182.50
117.18.232.200 - suspicious

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

http://magicview.ga/webxpo/gate.php - mailcious
http://duracom.ga/SD3/win32.exe - malware

magicview.ga(46.173.214.75) - mailcious
duracom.ga(46.173.214.75) - malware
46.173.214.75 - suspicious
172.217.25.14 - suspicious

ET INFO DNS Query for Suspicious .ga Domain
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE Possible Malicious Macro DL EXE Feb 2016
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE Possible Malicious Macro EXE DL AlphaNumL
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET POLICY PE EXE or DLL Windows file download HTTP

sunspalato.com(18.159.119.57) - malware
172.217.25.14 - suspicious
18.159.119.57 - suspicious
117.18.232.200 - suspicious

ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

https://456345746g546646.gb.net//inc/040b73a6c5b6ac.php - mailcious

456345746g546646.gb.net() - mailcious
103.153.182.50

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

172.217.25.14 - suspicious

sieqwarteg.com(185.147.80.211) - mailcious
178.250.157.171