194.49.94.80 - mailcious

http://134.122.184.3:8000/4
http://134.122.184.3:8000/3
http://134.122.184.3:8000/2
http://134.122.184.3:8000/1

134.122.184.3 - malware

ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE JS/WSF Downloader Dec 08 2016 M7
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)

http://www.batcavela.com/ge06/?kHQD=Q330Nlrdd7wjbNOXaSC7JMUzln/+sA0fy8mpHysJLBlsNI2WRIrp3yqbQPXqvCDIbk6bxFbG&D81h=O2MHdPrXY - rule_id: 37803
http://www.waveoflife.pro/ge06/?kHQD=MT2lmuLr4xW4Y36Na+kfxB+SBx3z6weHsbIXVLyeZmOnioiBuNRbSrEPi8rGHADI09fpEf4R&D81h=O2MHdPrXY

www.batcavela.com(13.248.148.254) - mailcious
www.carat-automotive.com()
www.booptee.com()
www.waveoflife.pro(66.96.162.150)
www.lodsoab.com()
13.248.148.254 - mailcious
66.96.162.150 - mailcious

ET MALWARE FormBook CnC Checkin (GET)

http://www.batcavela.com/ge06/

202.79.172.222 - malware

http://202.79.172.222:8000/4
http://202.79.172.222:8000/1
http://202.79.172.222:8000/3
http://202.79.172.222:8000/2

202.79.172.222 - malware

ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE JS/WSF Downloader Dec 08 2016 M7
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)

http://blmceii.xyz/cbot/blista.php
http://blmceii.xyz/cbot/collector.php

blmceii.xyz(213.226.100.83)
213.226.100.83

eqay5.za.com(158.220.84.172)
158.220.84.172

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure