Cobalt Stike Beacon Detected – 18[.]133[.]129[.]215:443

Cobalt Strike Beacon Detection Alerts

The Information provided at the time of posting was detected as “Cobalt Strike”. Depending on when you are viewing this article, it may no longer be the case and could be determined as being a false positive. Please do your own additional validation. – RedPacket Security

TimeStamp 2021-11-10T21:43:41.635172

Cobalt Strike
Cobalt Strike

General Information

4.109873487355564e+41
Cloud ProviderAmazon
Cloud Regioneu-west-2
ServiceAMAZON
Domainsamazonaws[.]com
Hostnamesec2-18-133-129-215[.]eu-west-2[.]compute[.]amazonaws[.]com
HTTP Host18[.]133[.]129[.]215
ISPAmazon.com, Inc.
ORGAmazon Data Services UK
OSN/A
HTTPN/A
HTTP HTML HASHN/A
HTTP LOCATION/
HTTP REDIRECTS
HTTP ROBOTSN/A
HTTP ROBOTS HASHN/A
HTTP SECURITY.TXTN/A
HTTP SECURITY.TXT HASHN/A
HTTP SERVERN/A
HTTP SITEMAPN/A
HTTP SITEMAP HASHN/A
HTTP TITLEN/A
LOCATION (AREA CODE)N/A
LOCATION (CITY)London
LOCATION (COUNTRY CODE)GB
LOCATION (COUNTRY NAME)United Kingdom
LOCATION (LATITUDE)51.50853
LOCATION (LONGITUDE)-0.12574
LOCATION (POSTAL CODE)N/A
SSL SERIAL
SSL EXPIREDN/A
SSL FINGERPRINT (SHA1)c8e94ba5a8eacf1b890f150fec71c7874ff21baa
SSL ISSUED20211013083352Z
SSL EXPIRES20220111083351Z
SSL CYPHERECDHE-RSA-AES256-GCM-SHA384
SSL VERSIONTLSv1/SSLv3
SSL TRUST (REVOKED)N/A
TAGScloud


Cobalt Strike Beacon Information

Beacon TypeHTTPS
http-get.clientAccept: /, Host: d1s8qo6v47jkj8[.]cloudfront[.]net, Referer: https://session[.]dancing-apple[.]co[.]uk/StrongCustomerAuthentication[.]aspx, Cookie: JSESSIONID=a5751314d324d34597a6c6a596a46684d7a45795a6;FCApplicationsTelemetryDeviceId=95c18d8-4dce9854;ClientId=1C0F6C5D910F9;Auth=3EkAjDKjI;xid=730bf7;wla42=ZG0yMzA2KjEs, RefererIdent, go=Search, qs=bs, form=QBRE
http-post.clientAccept: /, Content-Type: text/html; charset=utf-8, X-Content-Type-Options: nosniff, Host: d1s8qo6v47jkj8[.]cloudfront[.]net, Cookie: JSESSIONID=a5751314d324d34597a6c6a596a46684d7a45795a6;FCApplicationsTelemetryDeviceId=95c18d8-4dce9854;ClientId=1C0F6C5D910F9;Auth=3EkAjDKjI;xid=730bf7;wla42=ZG0yMzA2KjEs, RefererIdent, go=Search, qs=bs, form
DNS Beacon MaxDNSN/A
DNS Beacon IdleN/A
Beacon Jitter61
dns-beacon.strategy_fail_seconds-1
dns-beacon.strategy_rotate_seconds-1
dns-beacon.strategy_fail_x-1
HTTP GET URIqy95b2jfmi[.]execute-api[.]eu-west-2[.]amazonaws[.]com,/api/sdlob/AccountSummary2[.]aspx
HTTP POST URI/api/sdlob/adj/AccountSummary.aspx
Max GET Size2098703
Port443
post-ex.spawnto_x64%windir%\sysnative\WerFault[.]exe
post-ex.spawnto_x86%windir%\syswow64\WerFault[.]exe
process-inject.startrwx4
process-inject.userwx32
process-inject.allocator1
proxy.behavior2 (Use IE settings)
sleeptime149000
useragent_headerMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36 Edg/89.0.774.68
uses_cookies1
process-inject.executentdll:RtlUserThreadStart, CreateThread, NtQueueApcThread-s, CreateRemoteThread, RtlCreateUserThread
Watermark1622403640
Beacon Stage Cleanup1