This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| {"x64": {"time": 1632046026055.9, | |
| "sha1": "62862d22134c8b566d74e753f0215007ee95a8d1", | |
| "sha256": "17eac46860fe0c853b245dd997eb45721073a0a2475249a6a2ae33d7e8a98cd4", | |
| "config": {"HTTP Method Path 2": "\/api\/conversations.create", | |
| "Polling": 30000, | |
| "Watermark": 1192230662, | |
| "Spawn To x86": "C:\\windows\\system32\\conhost.exe 0x4", | |
| "Port": 443, "Beacon Type": "8 (HTTPS)", | |
| "C2 Server": "www.davismemorialhospital.org,\/api\/channels\/replies", | |
| "C2 Host Header": "Host: www.davismemorialhospital.org\r\n", |
MichaelKoczwara
/ beacon configs
Created
September 13, 2021 08:47
Cobalt Strike C2 possibly linked to CVE-2021-40444 hosted on combahton.net
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ip: | |
| 45.147.230.87 | |
| 45.147.230.236 | |
| 45.153.241.251 | |
| 45.153.242.111 | |
| 45.147.228.115 | |
| 45.147.228.143 | |
| 45.153.242.112 | |
| 152.89.247.172 |
MichaelKoczwara
/ beacon configs
Last active
September 14, 2021 02:29
Cobalt Strike C2 possibly attributed to CVE 2021 40444
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Cobalt Strike C2 running on 45.147.229[.]242 (Watermark: 1580103814) | |
| HTTP/1.1 404 Not Found | |
| Server: Microsoft-IIS/8.5 | |
| Content-Type: text/plain | |
| Cache-Control: max-age=1 | |
| Connection: keep-alive | |
| X-Powered-By: ASP.NET | |
| Content-Length: 0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 162.244.80.229 | |
| fivezin.com,/jquery-3.3.1.min.js | |
| 162.244.82.77 | |
| soft.azureedge.net,/jquery-3.3.1.min.js | |
| 162.244.80.229 | |
| fivezin.com,/jquery-3.3.1.min.js | |
| 162.244.81.10 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Possible Conti C2 Cobalt Strike Infrastructure | |
| ---------------------------------- | |
| 217.12.202.110 | |
| fivefkl.com,/jquery-3.3.1.min.js | |
| 185.203.116.231 | |
| amusient.com,/jquery-3.5.1.min.js | |
| 217.12.202.71 |
MichaelKoczwara
/ Cobalt Strike - 3.136.160.122
Created
May 6, 2021 11:51
Cobalt Strike - 3.136.160.122
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| {"x86": {"md5": "14b8702f70942381f3bf001986e5c410", "sha1": "65722b1f7a74309fb56d0b2bbe9f447f2cc02bff", "time": 1620300626962.9, "config": {"Beacon Type": "8 (HTTPS)", "Spawn To x64": "%windir%\\sysnative\\spoolsv.exe", "Method 1": "GET", "HTTP Method Path 2": "\/jquery-3.3.2.min.js", "Header 1": "", "C2 Server": "telemetry.wessonlabpartners.com,\/jquery-3.3.1.min.js,admitting.healthfitconnection.com,\/jquery-3.3.1.min.js,skilled_nursing.healthmanagementtoday.com,\/jquery-3.3.1.min.js", "User Agent": "Mozilla\/5.0 (Windows NT 6.3; Trident\/7.0; rv:11.0) like Gecko", "Max DNS": 255, "Polling": 60000, "DNS Idle": "3.136.160.122", "Pipe Name": "", "Method 2": "POST", "DNS Sleep": 0, "Port": 443, "Jitter": 37, "Spawn To x86": "%windir%\\syswow64\\spoolsv.exe", "Header 2": ""}, "sha256": "2c345b24fe0c5c275ed85580b50565ee6b376a02f81356c723f15eabc0f2884a"}, "x64": {"md5": "12ebf918714aaeeec66272e690596a09", "sha1": "a13194e306cf2df2fb628ea236879d326ef190ed", "time": 1620300629257.4, "config": {"Beacon Type": "8 (HTT |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "Ip": "42.193.225.116", | |
| "Ports": ["42.193.225.116:22", "42.193.225.116:8888"], | |
| "DefaultBeaconResponses": { | |
| "http://42.193.225.116:8888/": "302/219" | |
| }, | |
| "Jarm": "", | |
| "Certificate": "", | |
| "Beacons": null | |
| } |
MichaelKoczwara
/ Cobalt Strike-C2
Created
April 25, 2021 21:59
Cobalt Strike 195.206.181.208, 195.206.181.210, 195.206.181.213
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| http://195.206.181.210:80/aaa9 200 209981 | |
| { | |
| "": "\u0004", | |
| ".cryptoscheme": "0", | |
| ".http-get.client": "\u0007\u0003\u0006\u0006Cookie", | |
| ".http-get.server.output": "\u0004", | |
| ".http-get.uri": "195.206.181.210,/ga.js", | |
| ".http-get.verb": "GET", | |
| ".http-post.client": "\n\u0026Content-Type: application/octet-stream\u0007\u0005\u0002id\u0007\u0001\u0004", | |
| ".http-post.uri": "/submit.php", |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 139.60.161.62 | |
| {"x64": {"md5": "76ea371a846882c14e1203da09dc6e11", "sha1": "208e53753c6435dcb02001d8a8c8f62fbb4ce79c", "time": 1618902720340.7, "config": {"DNS Sleep": 0, "Spawn To x64": "%windir%\\sysnative\\rundll32.exe", "Spawn To x86": "%windir%\\syswow64\\rundll32.exe", "C2 Server": "a.officecalendar.biz,\/owa\/", "Port": 443, "Beacon Type": "8 (HTTPS)", "Method 2": "GET", "Jitter": 20, "Header 2": "", "DNS Idle": "8.8.8.8", "HTTP Method Path 2": "\/OWA\/", "Max DNS": 235, "Header 1": "", "Method 1": "GET", "User Agent": "Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko)", "Polling": 30000, "Pipe Name": ""}, "sha256": "2f256a1b4af0453ae3b7468528e9a21bd767d1b4c8fd86f655e29b5f177215bb"}, "x86": {"md5": "8082ddcf750b84602c0ad0eeff6625c3", "sha1": "f9b4bb659d6c348d1fe8f6c5155831d4b91b8bce", "time": 1618902717665.6, "config": {"DNS Sleep": 0, "Spawn To x64": "%windir%\\sysnative\\rundll32.exe", "Spawn To x86": "%windir%\\syswow64\\rundll32.exe", "C2 Server": "a.officecalendar.biz,\/owa\/" |
MichaelKoczwara
/ Cobalt Strike 218.132.147.207 - 18.130.120.177
Created
April 17, 2021 10:11
Cobalt Strike/C2 218.132.147.207 - 18.130.120.177 c2: sage-salesforce.com/image
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 18.130.120.177 | |
| ec2-18-130-120-177.eu-west-2.compute.amazonaws.com | |
| {"x64": {"md5": "2464855b99ecfd5a0700362a4e0d7656", "config": {"Method 1": "GET", "HTTP Method Path 2": "\/history\/", "Jitter": 0, "C2 Server": "sage-salesforce.com,\/image\/", "Polling": 5000, "Spawn To x86": "%windir%\\syswow64\\mstsc.exe", "Method 2": "GET", "Port": 443, "Beacon Type": "8 (HTTPS)", "Spawn To x64": "%windir%\\sysnative\\mstsc.exe"}, "sha256": "2d1082f1d75d8dc7e66268cf0611d3154d4fe9c43164386d15f64338328b3ccd", "sha1": "be3c6cab9996eee75b08b1d642bef033fee13b58", "time": 1618653337245.6}, "x86": {"md5": "7ffdc76fae6f5b9e2368aa9f6e91eb43", "config": {"Method 1": "GET", "HTTP Method Path 2": "\/history\/", "Jitter": 0, "C2 Server": "sage-salesforce.com,\/image\/", "Polling": 5000, "Spawn To x86": "%windir%\\syswow64\\mstsc.exe", "Method 2": "GET", "Port": 443, "Beacon Type": "8 (HTTPS)", "Spawn To x64": "%windir%\\sysnative\\mstsc.exe"}, "sha256": "ea8bbe9060f7c0e05a1efc648d72753a62e7ecbef1d8ad239c2ba83d43cd10fc", "sha1": "630d |
NewerOlder