Cobalt Stike Beacon Detected – 45[.]146[.]165[.]143:443

Cobalt Strike Beacon Detection Alerts

The Information provided at the time of posting was detected as “Cobalt Strike”. Depending on when you are viewing this article, it may no longer be the case and could be determined as being a false positive. Please do your own additional validation. – RedPacket Security

TimeStamp 2021-11-18T12:21:35.537622

Cobalt Strike
Cobalt Strike

General Information

2005821739
Cloud Provider
Cloud Region
Service
DomainsN/A
HostnamesN/A
HTTP Host45[.]146[.]165[.]143
ISPOOO Network of data-centers Selectel
ORGIT Resheniya LLC
OSN/A
HTTPN/A
HTTP HTML HASHN/A
HTTP LOCATION/
HTTP REDIRECTS
HTTP ROBOTSN/A
HTTP ROBOTS HASHN/A
HTTP SECURITY.TXTN/A
HTTP SECURITY.TXT HASHN/A
HTTP SERVERN/A
HTTP SITEMAPN/A
HTTP SITEMAP HASHN/A
HTTP TITLEN/A
LOCATION (AREA CODE)N/A
LOCATION (CITY)Saint Petersburg
LOCATION (COUNTRY CODE)RU
LOCATION (COUNTRY NAME)Russian Federation
LOCATION (LATITUDE)59.93863
LOCATION (LONGITUDE)30.31413
LOCATION (POSTAL CODE)N/A
SSL SERIAL
SSL EXPIREDtrue
SSL FINGERPRINT (SHA1)60c8652aa58e7db6bd710917e14f56f854307814
SSL ISSUED20210405022137Z
SSL EXPIRES20210704022137Z
SSL CYPHERECDHE-RSA-AES256-GCM-SHA384
SSL VERSIONTLSv1/SSLv3
SSL TRUST (REVOKED)N/A
TAGSself-signed


Cobalt Strike Beacon Information

Beacon TypeHTTPS
http-get.clientHost: www[.]google[.]com, Accept: */*, Accept-Language: en-US;q=0[.]5,en;q=0[.]3, Accept-Encoding: gzip, deflate, Connection: close
http-post.clientHost: www[.]google[.]com, Accept: */*, Accept-Language: en-US;q=0[.]5,en;q=0[.]3, Accept-Encoding: gzip, deflate, Connection: close, &button=submit
DNS Beacon MaxDNS255
DNS Beacon Idle134744072
Beacon Jitter50
dns-beacon.strategy_fail_secondsN/A
dns-beacon.strategy_rotate_secondsN/A
dns-beacon.strategy_fail_xN/A
HTTP GET URI45[.]146[.]165[.]143,/complete/search
HTTP POST URI/gen_204
Max GET Size5592416
Port443
post-ex.spawnto_x64%windir%\sysnative\lsass[.]exe
post-ex.spawnto_x86%windir%\syswow64\lsass[.]exe
process-inject.startrwx64
process-inject.userwx64
process-inject.allocatorN/A
proxy.behavior2 (Use IE settings)
sleeptime10000
useragent_headerMozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
uses_cookiesN/A
process-inject.executeCreateThread, SetThreadContext, CreateRemoteThread, RtlCreateUserThread
Watermark305419896
Beacon Stage Cleanup1