Cobalt Stike Beacon Detected – 139[.]180[.]175[.]197:443

Cobalt Strike Beacon Detection Alerts

The Information provided at the time of posting was detected as “Cobalt Strike”. Depending on when you are viewing this article, it may no longer be the case and could be determined as being a false positive. Please do your own additional validation. – RedPacket Security

TimeStamp 2021-11-17T16:46:09.019788

Cobalt Strike
Cobalt Strike

General Information

1111784376
Cloud ProviderVultr
Cloud RegionN/A
ServiceN/A
Domainsvultr[.]com
Hostnames139[.]180[.]175[.]197[.]vultr[.]com
HTTP Host139[.]180[.]175[.]197
ISPThe Constant Company, LLC
ORGThe Constant Company, LLC
OSN/A
HTTPN/A
HTTP HTML HASHN/A
HTTP LOCATION/
HTTP REDIRECTS
HTTP ROBOTSN/A
HTTP ROBOTS HASHN/A
HTTP SECURITY.TXTN/A
HTTP SECURITY.TXT HASHN/A
HTTP SERVERPagely Gateway/1.5.1
HTTP SITEMAPN/A
HTTP SITEMAP HASHN/A
HTTP TITLEN/A
LOCATION (AREA CODE)N/A
LOCATION (CITY)Sydney
LOCATION (COUNTRY CODE)AU
LOCATION (COUNTRY NAME)Australia
LOCATION (LATITUDE)-33.86785
LOCATION (LONGITUDE)151.20732
LOCATION (POSTAL CODE)N/A
SSL SERIAL
SSL EXPIREDN/A
SSL FINGERPRINT (SHA1)6d9d93a271194c00f094b920c692ca0323187938
SSL ISSUED20210913033510Z
SSL EXPIRES20220913033510Z
SSL CYPHERECDHE-RSA-AES256-GCM-SHA384
SSL VERSIONTLSv1/SSLv3
SSL TRUST (REVOKED)N/A
TAGScloud, self-signed


Cobalt Strike Beacon Information

Beacon TypeHTTPS
http-get.clientConnection: close, Accept: image/*, wordpress_logged_in_1870a829d9bc69abf500eca6f00241fe=, Cookie, fullname=true
http-post.clientConnection: close, Accept-Language: en-GB;q=0[.]9, *;q=0[.]7, Content-Type: application/x-www-form-urlencoded, column=, __session__id=, Cookie
DNS Beacon MaxDNSN/A
DNS Beacon IdleN/A
Beacon Jitter37
dns-beacon.strategy_fail_seconds-1
dns-beacon.strategy_rotate_seconds-1
dns-beacon.strategy_fail_x-1
HTTP GET URI139[.]180[.]175[.]197,/FAQ[.]js
HTTP POST URI/bn
Max GET Size1398982
Port443
post-ex.spawnto_x64%windir%\sysnative\svchost[.]exe
post-ex.spawnto_x86%windir%\syswow64\svchost[.]exe
process-inject.startrwx4
process-inject.userwx32
process-inject.allocatorN/A
proxy.behavior2 (Use IE settings)
sleeptime61610
useragent_headerMozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9
uses_cookies1
process-inject.executeCreateThread, RtlCreateUserThread, CreateRemoteThread
WatermarkN/A
Beacon Stage Cleanup1