Cobalt Strike beacons on the same range. Reference: https://twitter.com/Max_Mal_/status/1485984545623134213 (#Emotet infection leads to #CobaltStrike) #################################################### https://172.241.27.107/ C2 Server: repigeleli.com (/ro.html) Watermark: 1580103814 BeaconType: HTTPS Port: 443 UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246 HttpPostUri: /fam_newspaper SleepTime: 5000 MaxGetSize: 2796804 Jitter: 15 MaxDNS: Not Found PublicKey MD5: db61a374b7fb8a975193dd10a016565c Malleable C2 Instructions: Remove 600 bytes from the beginning Base64 decode NetBIOS decode 'a' Spawnto_x86: %windir%\syswow64\rundll32.exe Spawnto_x64: %windir%\sysnative\rundll32.exe #################################################### https://172.241.27.123/ C2 Server: vafici.com (/ba.js) Watermark: 1580103814 BeaconType: HTTPS Port: 443 UserAgent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 HttpPostUri: /FAQ SleepTime: 5000 MaxGetSize: 2797078 Jitter: 8 MaxDNS: Not Found PublicKey MD5: a8bff98c789f609084be10dcc6e564c9 Malleable C2 Instructions: Remove 874 bytes from the beginning Base64 decode NetBIOS decode 'a' Spawnto_x86: %windir%\syswow64\mstsc.exe Spawnto_x64: %windir%\sysnative\mstsc.exe #################################################### https://172.241.27.128/ C2 Server: ragojel.com (/RELEASE) Watermark: 1580103814 BeaconType: HTTPS Port: 443 UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9 HttpPostUri: /sitemap SleepTime: 5000 MaxGetSize: 1864740 Jitter: 23 MaxDNS: Not Found PublicKey MD5: 7863048c80cb32b195977ec72bcf7b51 Malleable C2 Instructions: Remove 600 bytes from the beginning Base64 decode Base64 decode Spawnto_x86: %windir%\syswow64\rundll32.exe Spawnto_x64: %windir%\sysnative\rundll32.exe #################################################### https://172.241.27.198/ C2 Server: sufebul.com (/en.js) Watermark: 1580103814 BeaconType: HTTPS Port: 443 UserAgent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 HttpPostUri: /FAQ SleepTime: 5000 MaxGetSize: 2797085 Jitter: 7 MaxDNS: Not Found PublicKey MD5: f3b81a729b58e699e306e87bd53e13f1 Malleable C2 Instructions: Remove 881 bytes from the beginning Base64 decode NetBIOS decode 'A' Spawnto_x86: %windir%\syswow64\mstsc.exe Spawnto_x64: %windir%\sysnative\mstsc.exe #################################################### https://172.241.27.230/ C2 Server: lawapuyal.com (/posting) Watermark: 0 BeaconType: HTTPS Port: 443 UserAgent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202 HttpPostUri: /eo SleepTime: 5000 MaxGetSize: 1864474 Jitter: 27 MaxDNS: Not Found PublicKey MD5: d6014c2eb47d9335aed2ecbd039d8e53 Malleable C2 Instructions: Remove 338 bytes from the beginning Base64 decode Base64 URL-safe decode Spawnto_x86: %windir%\syswow64\rundll32.exe Spawnto_x64: %windir%\sysnative\rundll32.exe #################################################### https://172.241.27.248/ C2 Server: zolewiso.com (/panel) Watermark: 0 BeaconType: HTTPS Port: 443 UserAgent: Mozilla/5.0 (Windows Phone 10.0; Android 6.0.1; Microsoft; RM-1152) AppleWebKit/537.36 (KHTML, like Gecko) HttpPostUri: /tab_home_active SleepTime: 5000 MaxGetSize: 1398446 Jitter: 28 MaxDNS: Not Found PublicKey MD5: af242ec456596684cd6984f5d480bceb Malleable C2 Instructions: Remove 338 bytes from the beginning Base64 decode XOR mask w/ random key Spawnto_x86: %windir%\syswow64\rundll32.exe Spawnto_x64: %windir%\sysnative\rundll32.exe