ThreatFox IOC Database
You are viewing the ThreatFox database entry for url https://duckducklive.top:8443/rest/2/meetingsmCRW64qPFqLKw7X56lR41fx.
Database Entry
This IOC expired
This IOC is an old IOC and hence has expired on 2025-12-06 01:15:01 UTC. We therefore refrain from exporting it into our datasets. As a result, this database entry is purely informational and has no impact.
| IOC ID: | 1095041 |
|---|---|
| IOC: | https://duckducklive.top:8443/rest/2/meetingsmCRW64qPFqLKw7X56lR41fx |
| IOC Type : | url |
| Threat Type : | botnet_cc |
| Malware: | Cobalt Strike |
| Malware alias: | Agentemis, BEACON, CobaltStrike, cobeacon |
| Confidence Level : | Confidence level is high (100%) |
| ASN: | AS9370 MAINT-JPNIC |
| Country: |  JP |
| First seen: | 2023-03-29 04:51:20 UTC |
| Last seen: | never |
| UUID: | 59738b56-cded-11ed-928d-42010aa4000a |
| Reporter |  AndreGironda |
| Reward | 5 credits from ThreatFox |
| Tags: | 391144938 Beacon Cobalt Strike CobaltStrike |
| Reference: | https://www.virustotal.com/gui/file/b5da1db6d69f2f872e603beb0f121c68f3320ed33a0c9835bfc1a931d177c947 |
AndreGironda
BeaconType - HTTPSPort - 8443
SleepTime - 1000
MaxGetSize - 2097974
Jitter - 19
MaxDNS - Not Found
PublicKey_MD5 - eb8a239b9d79f6a249c35ec15c2c19eb
C2Server - duckducklive.top,/functionalStatus/fDLridgHMu-3IxnJCWNllcZnbqLnn8fyb
UserAgent - Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:85.1) Gecko/20100101 Firefox/85.1
HttpPostUri - /rest/2/meetingsmCRW64qPFqLKw7X56lR41fx
Malleable_C2_Instructions - Remove 8 bytes from the end
Remove 8 bytes from the end
Remove 10 bytes from the end
Remove 6 bytes from the end
Remove 11 bytes from the end
Remove 33 bytes from the end
Remove 69 bytes from the end
Remove 55 bytes from the end
Remove 67 bytes from the end
Remove 27 bytes from the end
Remove 15 bytes from the end
Remove 25 bytes from the end
Remove 32 bytes from the end
Remove 72 bytes from the end
Remove 16 bytes from the beginning
Remove 17 bytes from the beginning
Remove 11 bytes from the beginning
Remove 31 bytes from the beginning
Remove 80 bytes from the beginning
Remove 60 bytes from the beginning
Remove 54 bytes from the beginning
Remove 69 bytes from the beginning
Remove 38 bytes from the beginning
Remove 8 bytes from the beginning
NetBIOS decode 'a'
HttpGet_Metadata - ConstHeaders
Host: duckducklive.top
Accept: */*
Accept-Language: en-US
Connection: close
Metadata
netbios
parameter "_"
HttpPost_Metadata - ConstHeaders
Host: duckducklive.top
Accept: */*
Accept-Language: en
Connection: close
SessionId
netbios
header "x-verification-rid"
Output
netbios
PipeName - Not Found
DNS_Idle - Not Found
DNS_Sleep - Not Found
SSH_Host - Not Found
SSH_Port - Not Found
SSH_Username - Not Found
SSH_Password_Plaintext - Not Found
SSH_Password_Pubkey - Not Found
SSH_Banner -
HttpGet_Verb - GET
HttpPost_Verb - POST
HttpPostChunk - 0
Spawnto_x86 - %windir%\syswow64\WWAHost.exe
Spawnto_x64 - %windir%\sysnative\WWAHost.exe
CryptoScheme - 0
Proxy_Config - Not Found
Proxy_User - Not Found
Proxy_Password - Not Found
Proxy_Behavior - Use IE settings
Watermark_Hash - idvyUaMDKubWW4TL3iPjBw==
Watermark - 391144938
bStageCleanup - True
bCFGCaution - False
KillDate - 0
bProcInject_StartRWX - True
bProcInject_UseRWX - False
bProcInject_MinAllocSize - 14934
ProcInject_PrependAppend_x86 - b'\x90\x90\x90\x90\x90\x90\x90\x90\x90'
Empty
ProcInject_PrependAppend_x64 - b'\x90\x90\x90\x90\x90\x90\x90\x90\x90'
Empty
ProcInject_Execute - ntdll.dll:RtlUserThreadStart
NtQueueApcThread-s
SetThreadContext
CreateRemoteThread
kernel32.dll:LoadLibraryA
RtlCreateUserThread
ProcInject_AllocationMethod - VirtualAllocEx
bUsesCookies - False
HostHeader -
headersToRemove - Not Found
DNS_Beaconing - Not Found
DNS_get_TypeA - Not Found
DNS_get_TypeAAAA - Not Found
DNS_get_TypeTXT - Not Found
DNS_put_metadata - Not Found
DNS_put_output - Not Found
DNS_resolver - Not Found
DNS_strategy - round-robin
DNS_strategy_rotate_seconds - -1
DNS_strategy_fail_x - -1
DNS_strategy_fail_seconds - -1
Retry_Max_Attempts - 0
Retry_Increase_Attempts - 0
Retry_Duration - 0