Cobalt Stike Beacon Detected – 104[.]194[.]248[.]76:443

Cobalt Strike Beacon Detection Alerts

The Information provided at the time of posting was detected as “Cobalt Strike”. Depending on when you are viewing this article, it may no longer be the case and could be determined as being a false positive. Please do your own additional validation. – RedPacket Security

TimeStamp 2021-11-16T16:28:44.850545

Cobalt Strike
Cobalt Strike

General Information

2103797386
Cloud Provider
Cloud Region
Service
DomainsN/A
HostnamesN/A
HTTP Host104[.]194[.]248[.]76
ISPMULTACOM CORPORATION
ORGMULTACOM CORPORATION
OSN/A
HTTPN/A
HTTP HTML HASHN/A
HTTP LOCATION/
HTTP REDIRECTS
HTTP ROBOTSN/A
HTTP ROBOTS HASHN/A
HTTP SECURITY.TXTN/A
HTTP SECURITY.TXT HASHN/A
HTTP SERVERMicrosoft-IIS/10.0
HTTP SITEMAPN/A
HTTP SITEMAP HASHN/A
HTTP TITLEN/A
LOCATION (AREA CODE)N/A
LOCATION (CITY)Los Angeles
LOCATION (COUNTRY CODE)US
LOCATION (COUNTRY NAME)United States
LOCATION (LATITUDE)34.05223
LOCATION (LONGITUDE)-118.24368
LOCATION (POSTAL CODE)N/A
SSL SERIAL
SSL EXPIREDN/A
SSL FINGERPRINT (SHA1)43eb832896a1217f837bdea53233c0857b4b4a3b
SSL ISSUED20211022153309Z
SSL EXPIRES20221022153309Z
SSL CYPHERECDHE-RSA-AES256-GCM-SHA384
SSL VERSIONTLSv1/SSLv3
SSL TRUST (REVOKED)N/A
TAGSself-signed


Cobalt Strike Beacon Information

Beacon TypeHTTPS
http-get.clientAccept: application/xhtml+xml, image/*, text/html, Accept-Language: ku, Accept-Encoding: identity, compress, secure_id_HVNK5EQY1M7U9A72R32IP55BRV17K=, Cookie
http-post.clientAccept: image/*, text/html, application/xml, Accept-Language: ar-om, Accept-Encoding: gzip, compress, _VUNAUMVG
DNS Beacon MaxDNSN/A
DNS Beacon IdleN/A
Beacon Jitter46
dns-beacon.strategy_fail_seconds-1
dns-beacon.strategy_rotate_seconds-1
dns-beacon.strategy_fail_x-1
HTTP GET URI104[.]194[.]248[.]76,/Quit/workshops/A376XB5AKQU
HTTP POST URI/Display/Settings/N0H6XR00Y
Max GET Size2098980
Port443
post-ex.spawnto_x64%windir%\sysnative\Locator[.]exe
post-ex.spawnto_x86%windir%\syswow64\getmac[.]exe /V
process-inject.startrwx4
process-inject.userwx32
process-inject.allocator1
proxy.behavior2 (Use IE settings)
sleeptime115525
useragent_headerMozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.97 Safari/537.22
uses_cookies1
process-inject.executentdll:RtlUserThreadStart, CreateThread, NtQueueApcThread-s, CreateRemoteThread, RtlCreateUserThread
Watermark426352781
Beacon Stage Cleanup1