MichaelKoczwara

## CS beacon
{"x64": {"time": 1632046026055.9,
"sha1": "62862d22134c8b566d74e753f0215007ee95a8d1",
"sha256": "17eac46860fe0c853b245dd997eb45721073a0a2475249a6a2ae33d7e8a98cd4",
"config": {"HTTP Method Path 2": "\/api\/conversations.create",
"Polling": 30000,
"Watermark": 1192230662,
"Spawn To x86": "C:\\windows\\system32\\conhost.exe 0x4",
"Port": 443, "Beacon Type": "8 (HTTPS)",
"C2 Server": "www.davismemorialhospital.org,\/api\/channels\/replies",
"C2 Host Header": "Host: www.davismemorialhospital.org\r\n",

## beacon configs
ip:

45.147.230.87
45.147.230.236
45.153.241.251
45.153.242.111
45.147.228.115
45.147.228.143
45.153.242.112
152.89.247.172

## beacon configs
Cobalt Strike C2 running on 45.147.229[.]242 (Watermark: 1580103814)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/8.5
Content-Type: text/plain
Cache-Control: max-age=1
Connection: keep-alive
X-Powered-By: ASP.NET
Content-Length: 0

## Conti C2
162.244.80.229
fivezin.com,/jquery-3.3.1.min.js

162.244.82.77
soft.azureedge.net,/jquery-3.3.1.min.js

162.244.80.229
fivezin.com,/jquery-3.3.1.min.js

162.244.81.10

## Conti C2
Possible Conti C2 Cobalt Strike Infrastructure
----------------------------------

217.12.202.110
fivefkl.com,/jquery-3.3.1.min.js

185.203.116.231
amusient.com,/jquery-3.5.1.min.js

217.12.202.71

## Cobalt Strike - 3.136.160.122
{"x86": {"md5": "14b8702f70942381f3bf001986e5c410", "sha1": "65722b1f7a74309fb56d0b2bbe9f447f2cc02bff", "time": 1620300626962.9, "config": {"Beacon Type": "8 (HTTPS)", "Spawn To x64": "%windir%\\sysnative\\spoolsv.exe", "Method 1": "GET", "HTTP Method Path 2": "\/jquery-3.3.2.min.js", "Header 1": "", "C2 Server": "telemetry.wessonlabpartners.com,\/jquery-3.3.1.min.js,admitting.healthfitconnection.com,\/jquery-3.3.1.min.js,skilled_nursing.healthmanagementtoday.com,\/jquery-3.3.1.min.js", "User Agent": "Mozilla\/5.0 (Windows NT 6.3; Trident\/7.0; rv:11.0) like Gecko", "Max DNS": 255, "Polling": 60000, "DNS Idle": "3.136.160.122", "Pipe Name": "", "Method 2": "POST", "DNS Sleep": 0, "Port": 443, "Jitter": 37, "Spawn To x86": "%windir%\\syswow64\\spoolsv.exe", "Header 2": ""}, "sha256": "2c345b24fe0c5c275ed85580b50565ee6b376a02f81356c723f15eabc0f2884a"}, "x64": {"md5": "12ebf918714aaeeec66272e690596a09", "sha1": "a13194e306cf2df2fb628ea236879d326ef190ed", "time": 1620300629257.4, "config": {"Beacon Type": "8 (HTT

## Cobalt Strike - C2
{
    "Ip": "42.193.225.116",
    "Ports": ["42.193.225.116:22", "42.193.225.116:8888"],
    "DefaultBeaconResponses": {
        "http://42.193.225.116:8888/": "302/219"
    },
    "Jarm": "",
    "Certificate": "",
    "Beacons": null
}

## Cobalt Strike-C2
http://195.206.181.210:80/aaa9 200 209981
    {
        "": "\u0004",
        ".cryptoscheme": "0",
        ".http-get.client": "\u0007\u0003\u0006\u0006Cookie",
        ".http-get.server.output": "\u0004",
        ".http-get.uri": "195.206.181.210,/ga.js",
        ".http-get.verb": "GET",
        ".http-post.client": "\n\u0026Content-Type: application/octet-stream\u0007\u0005\u0002id\u0007\u0001\u0004",
        ".http-post.uri": "/submit.php",

## Cobalt Strike - Office-C2
139.60.161.62

{"x64": {"md5": "76ea371a846882c14e1203da09dc6e11", "sha1": "208e53753c6435dcb02001d8a8c8f62fbb4ce79c", "time": 1618902720340.7, "config": {"DNS Sleep": 0, "Spawn To x64": "%windir%\\sysnative\\rundll32.exe", "Spawn To x86": "%windir%\\syswow64\\rundll32.exe", "C2 Server": "a.officecalendar.biz,\/owa\/", "Port": 443, "Beacon Type": "8 (HTTPS)", "Method 2": "GET", "Jitter": 20, "Header 2": "", "DNS Idle": "8.8.8.8", "HTTP Method Path 2": "\/OWA\/", "Max DNS": 235, "Header 1": "", "Method 1": "GET", "User Agent": "Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko)", "Polling": 30000, "Pipe Name": ""}, "sha256": "2f256a1b4af0453ae3b7468528e9a21bd767d1b4c8fd86f655e29b5f177215bb"}, "x86": {"md5": "8082ddcf750b84602c0ad0eeff6625c3", "sha1": "f9b4bb659d6c348d1fe8f6c5155831d4b91b8bce", "time": 1618902717665.6, "config": {"DNS Sleep": 0, "Spawn To x64": "%windir%\\sysnative\\rundll32.exe", "Spawn To x86": "%windir%\\syswow64\\rundll32.exe", "C2 Server": "a.officecalendar.biz,\/owa\/"

## Cobalt Strike 218.132.147.207 - 18.130.120.177
18.130.120.177
ec2-18-130-120-177.eu-west-2.compute.amazonaws.com

{"x64": {"md5": "2464855b99ecfd5a0700362a4e0d7656", "config": {"Method 1": "GET", "HTTP Method Path 2": "\/history\/", "Jitter": 0, "C2 Server": "sage-salesforce.com,\/image\/", "Polling": 5000, "Spawn To x86": "%windir%\\syswow64\\mstsc.exe", "Method 2": "GET", "Port": 443, "Beacon Type": "8 (HTTPS)", "Spawn To x64": "%windir%\\sysnative\\mstsc.exe"}, "sha256": "2d1082f1d75d8dc7e66268cf0611d3154d4fe9c43164386d15f64338328b3ccd", "sha1": "be3c6cab9996eee75b08b1d642bef033fee13b58", "time": 1618653337245.6}, "x86": {"md5": "7ffdc76fae6f5b9e2368aa9f6e91eb43", "config": {"Method 1": "GET", "HTTP Method Path 2": "\/history\/", "Jitter": 0, "C2 Server": "sage-salesforce.com,\/image\/", "Polling": 5000, "Spawn To x86": "%windir%\\syswow64\\mstsc.exe", "Method 2": "GET", "Port": 443, "Beacon Type": "8 (HTTPS)", "Spawn To x64": "%windir%\\sysnative\\mstsc.exe"}, "sha256": "ea8bbe9060f7c0e05a1efc648d72753a62e7ecbef1d8ad239c2ba83d43cd10fc", "sha1": "630d
	{"x64": {"time": 1632046026055.9,
	"sha1": "62862d22134c8b566d74e753f0215007ee95a8d1",
	"sha256": "17eac46860fe0c853b245dd997eb45721073a0a2475249a6a2ae33d7e8a98cd4",
	"config": {"HTTP Method Path 2": "\/api\/conversations.create",
	"Polling": 30000,
	"Watermark": 1192230662,
	"Spawn To x86": "C:\\windows\\system32\\conhost.exe 0x4",
	"Port": 443, "Beacon Type": "8 (HTTPS)",
	"C2 Server": "www.davismemorialhospital.org,\/api\/channels\/replies",
	"C2 Host Header": "Host: www.davismemorialhospital.org\r\n",
	ip:

	45.147.230.87
	45.147.230.236
	45.153.241.251
	45.153.242.111
	45.147.228.115
	45.147.228.143
	45.153.242.112
	152.89.247.172
	Cobalt Strike C2 running on 45.147.229[.]242 (Watermark: 1580103814)

	HTTP/1.1 404 Not Found
	Server: Microsoft-IIS/8.5
	Content-Type: text/plain
	Cache-Control: max-age=1
	Connection: keep-alive
	X-Powered-By: ASP.NET
	Content-Length: 0
	162.244.80.229
	fivezin.com,/jquery-3.3.1.min.js

	162.244.82.77
	soft.azureedge.net,/jquery-3.3.1.min.js

	162.244.80.229
	fivezin.com,/jquery-3.3.1.min.js

	162.244.81.10
	Possible Conti C2 Cobalt Strike Infrastructure
	----------------------------------

	217.12.202.110
	fivefkl.com,/jquery-3.3.1.min.js

	185.203.116.231
	amusient.com,/jquery-3.5.1.min.js

	217.12.202.71
	{
	"Ip": "42.193.225.116",
	"Ports": ["42.193.225.116:22", "42.193.225.116:8888"],
	"DefaultBeaconResponses": {
	"http://42.193.225.116:8888/": "302/219"
	},
	"Jarm": "",
	"Certificate": "",
	"Beacons": null
	}
	http://195.206.181.210:80/aaa9 200 209981
	{
	"": "\u0004",
	".cryptoscheme": "0",
	".http-get.client": "\u0007\u0003\u0006\u0006Cookie",
	".http-get.server.output": "\u0004",
	".http-get.uri": "195.206.181.210,/ga.js",
	".http-get.verb": "GET",
	".http-post.client": "\n\u0026Content-Type: application/octet-stream\u0007\u0005\u0002id\u0007\u0001\u0004",
	".http-post.uri": "/submit.php",
	139.60.161.62

	{"x64": {"md5": "76ea371a846882c14e1203da09dc6e11", "sha1": "208e53753c6435dcb02001d8a8c8f62fbb4ce79c", "time": 1618902720340.7, "config": {"DNS Sleep": 0, "Spawn To x64": "%windir%\\sysnative\\rundll32.exe", "Spawn To x86": "%windir%\\syswow64\\rundll32.exe", "C2 Server": "a.officecalendar.biz,\/owa\/", "Port": 443, "Beacon Type": "8 (HTTPS)", "Method 2": "GET", "Jitter": 20, "Header 2": "", "DNS Idle": "8.8.8.8", "HTTP Method Path 2": "\/OWA\/", "Max DNS": 235, "Header 1": "", "Method 1": "GET", "User Agent": "Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko)", "Polling": 30000, "Pipe Name": ""}, "sha256": "2f256a1b4af0453ae3b7468528e9a21bd767d1b4c8fd86f655e29b5f177215bb"}, "x86": {"md5": "8082ddcf750b84602c0ad0eeff6625c3", "sha1": "f9b4bb659d6c348d1fe8f6c5155831d4b91b8bce", "time": 1618902717665.6, "config": {"DNS Sleep": 0, "Spawn To x64": "%windir%\\sysnative\\rundll32.exe", "Spawn To x86": "%windir%\\syswow64\\rundll32.exe", "C2 Server": "a.officecalendar.biz,\/owa\/"
	18.130.120.177
	ec2-18-130-120-177.eu-west-2.compute.amazonaws.com

	{"x64": {"md5": "2464855b99ecfd5a0700362a4e0d7656", "config": {"Method 1": "GET", "HTTP Method Path 2": "\/history\/", "Jitter": 0, "C2 Server": "sage-salesforce.com,\/image\/", "Polling": 5000, "Spawn To x86": "%windir%\\syswow64\\mstsc.exe", "Method 2": "GET", "Port": 443, "Beacon Type": "8 (HTTPS)", "Spawn To x64": "%windir%\\sysnative\\mstsc.exe"}, "sha256": "2d1082f1d75d8dc7e66268cf0611d3154d4fe9c43164386d15f64338328b3ccd", "sha1": "be3c6cab9996eee75b08b1d642bef033fee13b58", "time": 1618653337245.6}, "x86": {"md5": "7ffdc76fae6f5b9e2368aa9f6e91eb43", "config": {"Method 1": "GET", "HTTP Method Path 2": "\/history\/", "Jitter": 0, "C2 Server": "sage-salesforce.com,\/image\/", "Polling": 5000, "Spawn To x86": "%windir%\\syswow64\\mstsc.exe", "Method 2": "GET", "Port": 443, "Beacon Type": "8 (HTTPS)", "Spawn To x64": "%windir%\\sysnative\\mstsc.exe"}, "sha256": "ea8bbe9060f7c0e05a1efc648d72753a62e7ecbef1d8ad239c2ba83d43cd10fc", "sha1": "630d