Cobalt Stike Beacon Detected – 54[.]183[.]123[.]73:8443

Click the icon to Follow me:- twitterTelegramRedditDiscord

The Information provided at the time of posting was detected as “Cobalt Strike”. Depending on when you are viewing this article, it may no longer be the case and could be determined as being a false positive. Please do your own additional validation. – RedPacket Security

TimeStamp 2021-11-11T22:37:49.293186

Cobalt Strike
Cobalt Strike

General Information

3.4465360469384672e+41
Cloud ProviderAmazon
Cloud Regionus-west-1
ServiceAMAZON
Domainsamazonaws[.]com
Hostnamesec2-54-183-123-73[.]us-west-1[.]compute[.]amazonaws[.]com
HTTP Host54[.]183[.]123[.]73
ISPAmazon.com, Inc.
ORGAmazon Technologies Inc.
OSN/A
HTTPN/A
HTTP HTML HASHN/A
HTTP LOCATION/
HTTP REDIRECTS
HTTP ROBOTSN/A
HTTP ROBOTS HASHN/A
HTTP SECURITY.TXTN/A
HTTP SECURITY.TXT HASHN/A
HTTP SERVERN/A
HTTP SITEMAPN/A
HTTP SITEMAP HASHN/A
HTTP TITLEN/A
LOCATION (AREA CODE)N/A
LOCATION (CITY)San Jose
LOCATION (COUNTRY CODE)US
LOCATION (COUNTRY NAME)United States
LOCATION (LATITUDE)37.33939
LOCATION (LONGITUDE)-121.89496
LOCATION (POSTAL CODE)N/A
SSL SERIAL
SSL EXPIREDN/A
SSL FINGERPRINT (SHA1)28b5b3e65f51156468fed29eb6e58e94850de751
SSL ISSUED20210825022429Z
SSL EXPIRES20211123022428Z
SSL CYPHERECDHE-RSA-AES256-GCM-SHA384
SSL VERSIONTLSv1/SSLv3
SSL TRUST (REVOKED)N/A
TAGScloud


Cobalt Strike Beacon Information

Beacon TypeHTTPS
http-get.clientAccept: text/html, text/plain, */*, Accept-Language: zh-CN,zh;q=0[.]8,zh-TW;q=0[.]7,zh-HK;q=0[.]5,en-US;q=0[.]3,en;q=0[.]2, Connection: Keep-Alive, Cache-Control: no-cache, BIGIpServerPOOL_ID, osname=win, channel=stable, milestone=80
http-post.clientAccept: text/html, text/plain, */*, Accept-Language: zh-CN,zh;q=0[.]8,zh-TW;q=0[.]7,zh-HK;q=0[.]5,en-US;q=0[.]3,en;q=0[.]2, Connection: Keep-Alive, Cache-Control: no-cache, x-client-id, x-encrypt-data
DNS Beacon MaxDNSN/A
DNS Beacon IdleN/A
Beacon Jitter20
dns-beacon.strategy_fail_secondsN/A
dns-beacon.strategy_rotate_secondsN/A
dns-beacon.strategy_fail_xN/A
HTTP GET URIdzf7f2mb4xz8o[.]cloudfront[.]net,/v1/updateCheck
HTTP POST URI/v1/releaseMgr
Max GET Size1398102
Port443
post-ex.spawnto_x64%windir%\sysnative\rundll32[.]exe
post-ex.spawnto_x86%windir%\syswow64\rundll32[.]exe
process-inject.startrwx64
process-inject.userwx64
process-inject.allocatorN/A
proxy.behavior2 (Use IE settings)
sleeptime10000
useragent_headerMozilla/5.0 (Windows NT 10.0; WOW64) AppleWebkit/537.36 Chrome/71.0.3578.98
uses_cookiesN/A
process-inject.executeCreateThread, SetThreadContext, CreateRemoteThread, RtlCreateUserThread
Watermark1359593325
Beacon Stage CleanupN/A
Available for Amazon Prime