2022-06-17_Matanbuchus_CobaltStrike

Cobalt Strike Config

####################################################

https://extic.icu/
C2 Server: 185.217.1.23 (/inject.jpgv)
Watermark: 426352781
BeaconType: HTTPS
Port: 443
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 YaBrowser/21.9.0.1488 Yowser/2.5 Safari/537.36
HttpPostUri: /optimal
SleepTime: 60652
MaxGetSize: 1864740
Jitter: 73
MaxDNS: Not Found
PublicKey MD5: 49de6fb6b31f6615a0549270bda1efde
Malleable C2 Instructions: Remove 600 bytes from the beginning
Base64 decode
Base64 decode
Spawnto_x86: %windir%\syswow64\w32tm.exe
Spawnto_x64: %windir%\sysnative\w32tm.exe

####################################################

https://reykh.icu/
C2 Server: 190.123.44.220 (/thaw.txt)
Watermark: 426352781
BeaconType: HTTPS
Port: 443
UserAgent: Mozilla/5.0 (Linux; Android 9; ONEPLUS A3003) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.74 Mobile Safari/537.36
HttpPostUri: /shorten
SleepTime: 53605
MaxGetSize: 1398447
Jitter: 63
MaxDNS: Not Found
PublicKey MD5: d625126bd4d7cf421d2d001fc29c7ce2
Malleable C2 Instructions: Remove 339 bytes from the beginning
Base64 decode
XOR mask w/ random key
Spawnto_x86: %windir%\syswow64\mstsc.exe
Spawnto_x64: %windir%\sysnative\mstsc.exe

####################################################

https://mssfr.icu/
C2 Server: 190.123.44.126 (/maximum.png)
Watermark: 426352781
BeaconType: HTTPS
Port: 443
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.106 Safari/537.36
HttpPostUri: /employ
SleepTime: 50845
MaxGetSize: 2796804
Jitter: 33
MaxDNS: Not Found
PublicKey MD5: a0c8fe032bfefc3569f35b4f89c1bdf6
Malleable C2 Instructions: Remove 600 bytes from the beginning
Base64 decode
NetBIOS decode 'a'
Spawnto_x86: %windir%\syswow64\WerFault.exe
Spawnto_x64: %windir%\sysnative\WerFault.exe