-
Notifications
You must be signed in to change notification settings - Fork 5
/
2020-11-16-IOCs-for-Cobalt-Strike-activity.txt
30 lines (21 loc) · 1.22 KB
/
2020-11-16-IOCs-for-Cobalt-Strike-activity.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
2020-11-16 (MONDAY) - XLSX SPREADSHEET PUSHES COBALT STRIKE
REFERENCE:
- https://twitter.com/Unit42_Intel/status/1328425382140387328
NOTES:
- We've seen this spreadsheet template normally push Qakbot until mid-November 2020, when it started pushing other families of malware instead of Qakbot.
- Since mid-November 2020, we've occasionally seen this spreadsheet template push SmokeLoader or Cobalt Strike malware.
ASSOCIATED MALWARE:
- SHA256 hash: 4af251feed5a80976f897a0749147b74ec92ad90695eea87eeb21f83a41cff7f
- File size: 366,296 bytes
- File name: Document11355.xlsb
- File description: XLSX file with macros for Cobalt Strike
- SHA256 hash: c81cbf497e7427936c0f15290fe4a1648c8fc10c249d3b97e67897bd1e2808b6
- File size: 237,568 bytes
- File location: hxxp://99promo[.]com/ds/161120.gif
- File location: C:\1b3SX\iD93\tor.exe
- File description: Windows executable file (EXE) for Cobalt Strike
INFECTION TRAFFIC:
- 35.209.123[.]121 port 80 - 99promo[.]com - GET /ds/161120.gif
- 185.99.133[.]180 port 80 - 185.99.133[.]180 - GET /IE9CompatViewList.xml
- 185.99.133[.]180 port 80 - 185.99.133[.]180 - POST /submit.php?id=12345678
- NOTE: 1245678 in the above line replaces an 8-digit identification number for the infected Windows host