2022-01-25_CobaltStrikeConfigs

Cobalt Strike beacons on the same range.
Reference: https://twitter.com/Max_Mal_/status/1485984545623134213 (#Emotet infection leads to #CobaltStrike)

####################################################

https://172.241.27.107/
C2 Server: repigeleli.com (/ro.html)
Watermark: 1580103814
BeaconType: HTTPS
Port: 443
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246
HttpPostUri: /fam_newspaper
SleepTime: 5000
MaxGetSize: 2796804
Jitter: 15
MaxDNS: Not Found
PublicKey MD5: db61a374b7fb8a975193dd10a016565c
Malleable C2 Instructions: Remove 600 bytes from the beginning
Base64 decode
NetBIOS decode 'a'
Spawnto_x86: %windir%\syswow64\rundll32.exe
Spawnto_x64: %windir%\sysnative\rundll32.exe

####################################################

https://172.241.27.123/
C2 Server: vafici.com (/ba.js)
Watermark: 1580103814
BeaconType: HTTPS
Port: 443
UserAgent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0
HttpPostUri: /FAQ
SleepTime: 5000
MaxGetSize: 2797078
Jitter: 8
MaxDNS: Not Found
PublicKey MD5: a8bff98c789f609084be10dcc6e564c9
Malleable C2 Instructions: Remove 874 bytes from the beginning
Base64 decode
NetBIOS decode 'a'
Spawnto_x86: %windir%\syswow64\mstsc.exe
Spawnto_x64: %windir%\sysnative\mstsc.exe

####################################################

https://172.241.27.128/
C2 Server: ragojel.com (/RELEASE)
Watermark: 1580103814
BeaconType: HTTPS
Port: 443
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9
HttpPostUri: /sitemap
SleepTime: 5000
MaxGetSize: 1864740
Jitter: 23
MaxDNS: Not Found
PublicKey MD5: 7863048c80cb32b195977ec72bcf7b51
Malleable C2 Instructions: Remove 600 bytes from the beginning
Base64 decode
Base64 decode
Spawnto_x86: %windir%\syswow64\rundll32.exe
Spawnto_x64: %windir%\sysnative\rundll32.exe

####################################################

https://172.241.27.198/
C2 Server: sufebul.com (/en.js)
Watermark: 1580103814
BeaconType: HTTPS
Port: 443
UserAgent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0
HttpPostUri: /FAQ
SleepTime: 5000
MaxGetSize: 2797085
Jitter: 7
MaxDNS: Not Found
PublicKey MD5: f3b81a729b58e699e306e87bd53e13f1
Malleable C2 Instructions: Remove 881 bytes from the beginning
Base64 decode
NetBIOS decode 'A'
Spawnto_x86: %windir%\syswow64\mstsc.exe
Spawnto_x64: %windir%\sysnative\mstsc.exe

####################################################

https://172.241.27.230/
C2 Server: lawapuyal.com (/posting)
Watermark: 0
BeaconType: HTTPS
Port: 443
UserAgent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202
HttpPostUri: /eo
SleepTime: 5000
MaxGetSize: 1864474
Jitter: 27
MaxDNS: Not Found
PublicKey MD5: d6014c2eb47d9335aed2ecbd039d8e53
Malleable C2 Instructions: Remove 338 bytes from the beginning
Base64 decode
Base64 URL-safe decode
Spawnto_x86: %windir%\syswow64\rundll32.exe
Spawnto_x64: %windir%\sysnative\rundll32.exe

####################################################

https://172.241.27.248/
C2 Server: zolewiso.com (/panel)
Watermark: 0
BeaconType: HTTPS
Port: 443
UserAgent: Mozilla/5.0 (Windows Phone 10.0; Android 6.0.1; Microsoft; RM-1152) AppleWebKit/537.36 (KHTML, like Gecko)
HttpPostUri: /tab_home_active
SleepTime: 5000
MaxGetSize: 1398446
Jitter: 28
MaxDNS: Not Found
PublicKey MD5: af242ec456596684cd6984f5d480bceb
Malleable C2 Instructions: Remove 338 bytes from the beginning
Base64 decode
XOR mask w/ random key
Spawnto_x86: %windir%\syswow64\rundll32.exe
Spawnto_x64: %windir%\sysnative\rundll32.exe