ThreatFox IOC Database

You are viewing the ThreatFox database entry for url http://d18krv932r2kbr.cloudfront.net:80/access/.

Database Entry


IOC ID:295294
IOC: http://d18krv932r2kbr.cloudfront.net:80/access/
IOC Type :url
Threat Type :botnet_cc
Malware: Cobalt Strike
Malware alias:Agentemis, BEACON, CobaltStrike
Confidence Level : Confidence level is moderate (50%)
First seen:2022-01-14 20:09:19 UTC
Last seen:never
UUID:db8e9b79-7575-11ec-8ab6-42010aa4000a
Reporter @HarioMenkel
Reward 10 credits from anonymous
Tags:CobaltStrike

Twitter
@HarioMenkel
[ Download URL of Beacon ]
http://198.52.107.210:80/
[ Extracted Beacon Config ]
BeaconType: ['HTTP']
Port: 80
SleepTime: 330
MaxGetSize: 1048620
Jitter: 0
MaxDNS: 247
PublicKey: b'0\x81\x9f0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\x00\x03\x81\x8d\x000\x81\x89\x02\x81\x81\x00\x9f\n\x13@\x94B-o\\\xfa*\xd3\xa9\xef{\x87b\xf1\x97\x96\xc4$\x972\xbe\xaa2n\xce\xdd\xd1$v\xd1ZVA>\xea8\x17\xf4I\x83.D9\xdb\x10qt$\x08\x10Z\x9d%X3\xaa\xb3%`\xb6\xd7\xc6\x10\x01p Z\xf33\x05*W\xfe\x13R\xdaF\x89X\xd4+6j\x94\x1c\xe5\x8a\x89\xbf\xa1\x98\xd3.\x8d\xfa\xd1\xc8,CfOqA\xcc\xc2s\xa0=d\xcd?<\xe0\xc2f\xa5\x81\xa4P4%pP\xaf\x02\x03\x01\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
PublicKey_MD5: d2d8c703b6c7f61c05e218234b847b1a
C2Server: d18krv932r2kbr.cloudfront.net,/access/
UserAgent: Mozilla/5.0 (Windows NT 6.1; rv:1.9) Gecko/20100101 Firefox/4.0
HttpPostUri: /radio/xmlrpc/v35
Malleable_C2_Instructions: ['Remove 16 bytes from the beginning', 'Remove 16 bytes from the beginning', 'Remove 12 bytes from the beginning']
HttpGet_Metadata: {'ConstHeaders': ['Accept: */*', 'GetContentFeatures.DLNA.ORG: 1', 'Host: d18krv932r2kbr.cloudfront.net', 'Cookie: __utma=502707824.7005542865.2664901696.9852451196.7471244708.8;'], 'ConstParams': ['version=4', 'lid=3738845281'], 'Metadata': ['netbios', 'parameter "token"'], 'SessionId': [], 'Output': []}
HttpPost_Metadata: {'ConstHeaders': ['Accept: */*', 'Content-Type: text/xml', 'X-Requested-With: XMLHttpRequest', 'Host: d18krv932r2kbr.cloudfront.net'], 'ConstParams': ['lid=5888270190', 'method=getSearchRecommendations'], 'Metadata': [], 'SessionId': ['parameter "rid"'], 'Output': ['base64', 'print']}
SpawnTo: b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
PipeName:
DNS_Idle: 0.0.0.0
DNS_Sleep: 0
SSH_Host: Not Found
SSH_Port: Not Found
SSH_Username: Not Found
SSH_Password_Plaintext: Not Found
SSH_Password_Pubkey: Not Found
SSH_Banner:
HttpGet_Verb: GET
HttpPost_Verb: POST
HttpPostChunk: 0
Spawnto_x86: %windir%\syswow64\rundll32.exe
Spawnto_x64: %windir%\sysnative\rundll32.exe
CryptoScheme: 0
Proxy_Config: Not Found
Proxy_User: Not Found
Proxy_Password: Not Found
Proxy_Behavior: Use IE settings
Watermark: 305419896
bStageCleanup: False
bCFGCaution: False
KillDate: 0
bProcInject_StartRWX: True
bProcInject_UseRWX: True
bProcInject_MinAllocSize: 0
ProcInject_PrependAppend_x86: Empty
ProcInject_PrependAppend_x64: Empty
ProcInject_Execute: ['CreateThread', 'SetThreadContext', 'CreateRemoteThread', 'RtlCreateUserThread']
ProcInject_AllocationMethod: VirtualAllocEx
ProcInject_Stub: b'\xa5l\x818d\xaf\x87\x8aL\x10\x08<\xa1W\x8e\n'
bUsesCookies: True
HostHeader:
smbFrameHeader: Not Found
tcpFrameHeader: Not Found
headersToRemove: Not Found
DNS_Beaconing: Not Found
DNS_get_TypeA: Not Found
DNS_get_TypeAAAA: Not Found
DNS_get_TypeTXT: Not Found
DNS_put_metadata: Not Found
DNS_put_output: Not Found
DNS_resolver: Not Found
DNS_strategy: Not Found
DNS_strategy_rotate_seconds: Not Found
DNS_strategy_fail_x: Not Found
DNS_strategy_fail_seconds: Not Found